from:"Brant Knudson"

Re: [Openstack] [Keystone] Policy settings not working correctly

2013-06-07 Thread Brant Knudson

Heiko --

Guang's response provides the hint that could get you where you want to go
-- try using the V3 Identity API rather than the V2 admin API. The V2 admin
API essentially ignores policy and only allows admin role. Here's docs on
the V3 API:
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md.
The openstack client may provide a CLI for the commands you want to
run.

-- Brant



On Fri, Jun 7, 2013 at 3:07 AM, Heiko Krämer i...@honeybutcher.de wrote:

  Hi Guang,

 thx for your hint but that's not the reason because in your example all
 users with the KeystoneAdmin role have the same rights as the admin and
 thats useless.

 @Adam so i've no chance to get the policy management working ? I can't say
 the KeystoneAdmin role is only allowed to create and delete users and
 nothing more ?
 I saw instead of the file a mysql base policy management but thers no cli
 commands available right ?


 Thx and Greetings
 Heiko


 On 07.06.2013 07:59, Yee, Guang wrote:

  I think keystone client is still V2 by default, which is enforcing
 admin_required. 

 ** **

 Try this

 ** **

 admin_required: [[role:KeystoneAdmin], [role:admin], [is_admin:1]],
 

 ** **

 ** **

 Guang

 ** **

 ** **

 *From:* Openstack [
 mailto:openstack-bounces+guang.yee=hp@lists.launchpad.netopenstack-bounces+guang.yee=hp@lists.launchpad.net]
 *On Behalf Of *Adam Young
 *Sent:* Thursday, June 06, 2013 7:28 PM
 *To:* Heiko Krämer; openstack
 *Subject:* Re: [Openstack] [Keystone] Policy settings not working
 correctly

 ** **

 What is the actualy question here?  Is it why is this failing or why
 was it done that way?


 On 06/04/2013 07:47 AM, Heiko Krämer wrote:

 Heyho guys :)

 I've a little problem with policy settings in keystone. I've create a new
 rule in my policy-file and restarts keystone but keystone i don't have
 privileges. 


 What is the rule?

 


 Example:


 keystone user-create --name kadmin --pw lala
 keystone user-role-add --

 keystone role-list --user kadmin --role KeystoneAdmin --tenant admin

 +--+--+
 |id| name |
 +--+--+
 | 3f5c0af585db46aeaec49da28900de28 |KeystoneAdmin |
 | dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin |


 cat /etc/keystone/policy.json

 {
 admin_required: [[role:admin], [is_admin:1]],
 owner : [[user_id:%(user_id)s]],
 admin_or_owner: [[rule:admin_required], [rule:owner]],
 admin_or_kadmin: [[rule:admin_required], [role:KeystoneAdmin]],

 default: [[rule:admin_required]],
 [.]
 identity:list_users: [[rule:admin_or_kadmin]],
 []

 loading kadmin creds

 keystone user-list
 Unable to communicate with identity service: {error: {message: You
 are not authorized to perform the requested action: admin_required,
 code: 403, title: Not Authorized}}. (HTTP 403)


 In log file i see:
 DEBUG [keystone.policy.backends.rules] enforce admin_required:
 {'tenant_id': u'b33bf3927d4e449a98cec4a883148110', 'user_id':
 u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']}




 Why does keystone enforce *admin_required* rule instead of the defined
 rule (*admin_or_kadmin*).


 Historical reasons.  We are trying to clean this up.


 




 Keystone conf:
 [...]

 # Path to your policy definition containing identity actions
 policy_file = policy.json
 [..]
 [policy]
 driver = keystone.policy.backends.rules.Policy




 Any have an idea ?

 Thx and greetings
 Heiko




 

 ___

 Mailing list: https://launchpad.net/~openstack

 Post to : openstack@lists.launchpad.net

 Unsubscribe : https://launchpad.net/~openstack

 More help   : https://help.launchpad.net/ListHelp

 ** **



 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp


___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] PAM authentication for Folsom Keystone

2013-03-01 Thread Brant Knudson

I tried setting up httpd fronting keystone but wasn't able to figure out
how to get it to work. I configured Apache to require LDAP authentication
for keystone tokens. One problem is that keystone clients today aren't
doing http basic authentication. e.g., if you run nova --os-username=admin
--os-password=whatever list it doesn't do http basic auth, it does
keystone auth where it sends the username/password in the post data.

Here's the apache config file that I tried to use for keystone token auth,
in case anyone finds it interesting (note that it worked as far as you
can get a token using curl):

---

Listen 35357

VirtualHost *:35357
  WSGIScriptAlias /  /opt/stack/keystone/httpd/admin
  Location /v2.0/tokens
AuthType Basic
AuthName OpenStack
AuthBasicProvider ldap
AuthLDAPURL
ldap://localhost/ou=Users,ou=OpenStack,dc=openstack,dc=org?cn?one
Require valid-user
  /Location
/VirtualHost

Listen 5000

VirtualHost *:5000
  WSGIScriptAlias /  /opt/stack/keystone/httpd/main
  Location /v2.0/tokens
AuthType Basic
AuthName OpenStack
AuthBasicProvider ldap
AuthLDAPURL
ldap://localhost/ou=Users,ou=OpenStack,dc=openstack,dc=org?cn?one
Require valid-user
  /Location
/VirtualHost

---

I think a problem with this config is that it should require basic auth
only when doing a POST /v2.0/tokens request, and not require auth for GET.

Here's the curl command to get a token, which worked with this config:

$ curl --user admin:adminpwd \
 -H Content-Type: application/json \
 -d '{auth: {}}' \
 http://localhost:35357/v2.0/tokens


On Thu, Feb 28, 2013 at 2:25 AM, Alvaro Lopez al...@ifca.unican.es wrote:

 On Tue 26 Feb 2013 (13:41), Joshua wrote:
  Matt at this point I am just trying to log into keystone using users I
  created on the Unix system.

 You mean authenticate against keystone using your system users?

 You should be able to do so by running keystone as a WSGI behind an
 Apache http server that will make the authentication (PAM in this case,
 but can be any auth method supported by apache) and then using the
 external authentication method [1].

 [1]
 http://docs.openstack.org/developer/keystone/external-auth.html#using-httpd-authentication

 Regards,
 --
 Álvaro López García  al...@ifca.unican.es
 Instituto de Física de Cantabria http://devel.ifca.es/~aloga/
 Ed. Juan Jordá, Campus UC  tel: (+34) 942 200 969
 Avda. de los Castros s/n
 39005 Santander (SPAIN)
 _
 Premature optimization is the root of all evil (or at least most of it)
  in programming. -- Donald Knuth



 ___
 Mailing list: https://launchpad.net/~openstack
 Post to : openstack@lists.launchpad.net
 Unsubscribe : https://launchpad.net/~openstack
 More help   : https://help.launchpad.net/ListHelp

___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Re: [Openstack] [Keystone] Policy settings not working correctly

Re: [Openstack] PAM authentication for Folsom Keystone

2 matches

Site Navigation

Mail list logo

Footer information