Hi folks, I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be enforced.
As a quick test, I modified the identity:list_users policy to: "identity:list_users": "role:kam", There is no role called "kam" defined in my deployment so I would have expected this operation to fail. However: $ openstack --debug user list +----------------------------------+------------+ | ID | Name | +----------------------------------+------------+ | 3c1bd8c0f6324dcc938900d8eb801aa5 | admin | | 4b76763e375946998445b65b11c8db73 | ceilometer | | 15c8e1e463cc4370ad369eaf8504b727 | cinder | | 951068b3372f47ac827ade8f67cc19b4 | glance | | 2b62ced877244e74ba90b546225740d0 | heat | | 438a24497bc8448d9ac63bf05a005796 | kam | | 0b7af941da9b4896959f9258c6b498a0 | kam2 | | d1c4f7a244f74892b612b9b2ded6d602 | neutron | | 5c3ea23eb8e14070bc562951bb266073 | sysinv | +----------------------------------+------------+ $ cat myrc unset OS_SERVICE_TOKEN export OS_AUTH_URL=http://192.168.204.2:5000/v2.0 export OS_ENDPOINT_TYPE=publicURL export CINDER_ENDPOINT_TYPE=publicURL export OS_USERNAME=admin export OS_PASSWORD=admin export PS1='[\u@\h \W(keystone_admin)]\$ ' export OS_TENANT_NAME=admin export OS_REGION_NAME=RegionOne After getting the auth token, the client uses the adminURL endpoint to get the user list: curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9" Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC Thanks, Kam
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
