Hi Kam, The first thing I'd do is ensure that you're editing the correct "in use" policy file ( /etc/keystone/policy.json , if it's a default devstack install ). Secondly, a good test would be to change the actual policy to "!" (deny all). If that still allows anyone but the service token to do the operation, something beyond your specific edits is wrong.
The service token bypasses RBAC, but the admin accounts should not. Beyond editing the correct "in use" policy file, there should not be additional changes necessary to enable them. Tim From: "Nasim, Kam" <[email protected]<mailto:[email protected]>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <[email protected]<mailto:[email protected]>> Date: Tuesday, July 19, 2016 at 11:56 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [openstack-dev] [Keystone]: Help needed with RBAC policies Hi folks, I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be enforced. As a quick test, I modified the identity:list_users policy to: "identity:list_users": "role:kam", There is no role called "kam" defined in my deployment so I would have expected this operation to fail. However: $ openstack --debug user list +----------------------------------+------------+ | ID | Name | +----------------------------------+------------+ | 3c1bd8c0f6324dcc938900d8eb801aa5 | admin | | 4b76763e375946998445b65b11c8db73 | ceilometer | | 15c8e1e463cc4370ad369eaf8504b727 | cinder | | 951068b3372f47ac827ade8f67cc19b4 | glance | | 2b62ced877244e74ba90b546225740d0 | heat | | 438a24497bc8448d9ac63bf05a005796 | kam | | 0b7af941da9b4896959f9258c6b498a0 | kam2 | | d1c4f7a244f74892b612b9b2ded6d602 | neutron | | 5c3ea23eb8e14070bc562951bb266073 | sysinv | +----------------------------------+------------+ $ cat myrc unset OS_SERVICE_TOKEN export OS_AUTH_URL=http://192.168.204.2:5000/v2.0 export OS_ENDPOINT_TYPE=publicURL export CINDER_ENDPOINT_TYPE=publicURL export OS_USERNAME=admin export OS_PASSWORD=admin export PS1='[\u@\h \W(keystone_admin)]\$ ' export OS_TENANT_NAME=admin export OS_REGION_NAME=RegionOne After getting the auth token, the client uses the adminURL endpoint to get the user list: curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9" Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC Thanks, Kam
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
