Heiko --
Guang's response provides the hint that could get you where you want to go
-- try using the V3 Identity API rather than the V2 admin API. The V2 admin
API essentially ignores policy and only allows admin role. Here's docs on
the V3 API:
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md.
The openstack client may provide a CLI for the commands you want to
run.
-- Brant
On Fri, Jun 7, 2013 at 3:07 AM, Heiko Krämer i...@honeybutcher.de wrote:
Hi Guang,
thx for your hint but that's not the reason because in your example all
users with the KeystoneAdmin role have the same rights as the admin and
thats useless.
@Adam so i've no chance to get the policy management working ? I can't say
the KeystoneAdmin role is only allowed to create and delete users and
nothing more ?
I saw instead of the file a mysql base policy management but thers no cli
commands available right ?
Thx and Greetings
Heiko
On 07.06.2013 07:59, Yee, Guang wrote:
I think keystone client is still V2 by default, which is enforcing
admin_required.
** **
Try this
** **
admin_required: [[role:KeystoneAdmin], [role:admin], [is_admin:1]],
** **
** **
Guang
** **
** **
*From:* Openstack [
mailto:openstack-bounces+guang.yee=hp@lists.launchpad.netopenstack-bounces+guang.yee=hp@lists.launchpad.net]
*On Behalf Of *Adam Young
*Sent:* Thursday, June 06, 2013 7:28 PM
*To:* Heiko Krämer; openstack
*Subject:* Re: [Openstack] [Keystone] Policy settings not working
correctly
** **
What is the actualy question here? Is it why is this failing or why
was it done that way?
On 06/04/2013 07:47 AM, Heiko Krämer wrote:
Heyho guys :)
I've a little problem with policy settings in keystone. I've create a new
rule in my policy-file and restarts keystone but keystone i don't have
privileges.
What is the rule?
Example:
keystone user-create --name kadmin --pw lala
keystone user-role-add --
keystone role-list --user kadmin --role KeystoneAdmin --tenant admin
+--+--+
|id| name |
+--+--+
| 3f5c0af585db46aeaec49da28900de28 |KeystoneAdmin |
| dccfed0bd790420bbf1982686cbf7e31 | KeystoneServiceAdmin |
cat /etc/keystone/policy.json
{
admin_required: [[role:admin], [is_admin:1]],
owner : [[user_id:%(user_id)s]],
admin_or_owner: [[rule:admin_required], [rule:owner]],
admin_or_kadmin: [[rule:admin_required], [role:KeystoneAdmin]],
default: [[rule:admin_required]],
[.]
identity:list_users: [[rule:admin_or_kadmin]],
[]
loading kadmin creds
keystone user-list
Unable to communicate with identity service: {error: {message: You
are not authorized to perform the requested action: admin_required,
code: 403, title: Not Authorized}}. (HTTP 403)
In log file i see:
DEBUG [keystone.policy.backends.rules] enforce admin_required:
{'tenant_id': u'b33bf3927d4e449a98cec4a883148110', 'user_id':
u'46a6a9e429db483f8346f0259e99d6a5', u'roles': [u'KeystoneAdmin']}
Why does keystone enforce *admin_required* rule instead of the defined
rule (*admin_or_kadmin*).
Historical reasons. We are trying to clean this up.
Keystone conf:
[...]
# Path to your policy definition containing identity actions
policy_file = policy.json
[..]
[policy]
driver = keystone.policy.backends.rules.Policy
Any have an idea ?
Thx and greetings
Heiko
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
** **
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp