Apparently forgot to mention this is on Kilo (ubuntu cloudarchive packaged version which is still 2015.1.0)
On Tue, Aug 25, 2015 at 12:00 AM, Steve Martinelli <[email protected]> wrote: > Right, v2 and policy don't mix : ( > Ah yes! that gets me much further. After discovering I also needed to add 'list_roles' I'm getting: 2015-08-25 14:30:52.659 12798 TRACE keystone.common.wsgi RuntimeError: maximum recursion depth exceeded when running as the 'project_admin' this seems to be during the 'list_roles' call as I get the same error trying to list roles, though not as admin so pretty sure it's now my logic that's off. Also 'openstack role list' as admin works as project_admin it generates a similar error to the 'openstack role add --user jon-test --project test-group _memeber_' Fresh grep of related policy: "project_admin": "project_id:%(project_id)s and role:project_admin", "admin_or_proj_admin": "rule:admin_required or rule:admin_or_proj_admin", "identity:get_project": "rule:admin_or_proj_admin", "identity:update_project": "rule:admin_or_proj_admin", "identity:get_user": "rule:admin_or_proj_admin", "identity:get_role": "rule:admin_or_proj_admin", "identity:list_roles": "rule:admin_or_proj_admin", "identity:create_grant": "rule:admin_or_proj_admin", "identity:revoke_grant": "rule:admin_or_proj_admin", "identity:list_role_assignments": "rule:admin_or_proj_admin", full debug log of failed call from keystone server: http://paste.openstack.org/show/427313/ Thanks, -Jon > The controller goes right to checking for admin-ness: > https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L144-L161 > Whereas in v3, it actually checks the policy.json file: > https://github.com/openstack/keystone/blob/master/keystone/assignment/controllers.py#L387-L396 > > Use openstackclient with v3 settings, example env. vars here: > http://docs.openstack.org/developer/python-openstackclient/authentication.html#authenticating-using-identity-server-api-v3 > > and try `openstack role add _member --user jon-test --project test-group` > it should work. > > Thanks, > > Steve Martinelli > OpenStack Keystone Core > > [image: Inactive hide details for Morgan Fainberg ---2015/08/24 10:49:22 > PM---The policy file is not really used for v2 keystone. There]Morgan > Fainberg ---2015/08/24 10:49:22 PM---The policy file is not really used for > v2 keystone. There are very limited things that can be done w > > From: Morgan Fainberg <[email protected]> > To: Jonathan Proulx <[email protected]> > Cc: "[email protected]" <[email protected]> > Date: 2015/08/24 10:49 PM > Subject: Re: [Openstack] Keystone policy to allow project_admins to add > (existing) users to their projects > ------------------------------ > > > > The policy file is not really used for v2 keystone. There are very limited > things that can be done with v2 and policy. > > Please also note that the keystoneclient cli only supports v2 (and is > deprecated in favor of the common openstack client). > > Other than those two point Steve's email is spot on. > > Cheers, > Morgan > > Sent via mobile > > > On Aug 24, 2015, at 13:41, Jonathan Proulx <[email protected]> wrote: > > > > HI, > > > > I want to create a 'project_admin' role with the ability to add and > > remove existing users from the project in which one has this role. > > But it's not working as I thought. Here's what I tried in policy.json > > (note #comments are not in the json file): > > > > # set up the rules > > "project_admin": "project_id:%(project_id)s and role:project_admin", > > "admin_or_proj_admin": "rule:admin_required or > rule:admin_or_proj_admin", > > # grant role to some things that were previously rule:admin_required > > "identity:get_project": "rule:admin_or_proj_admin", > > "identity:update_project": "rule:admin_or_proj_admin", > > "identity:get_user": "rule:admin_or_proj_admin", > > "identity:get_role": "rule:admin_or_proj_admin", > > "identity:create_grant": "rule:admin_or_proj_admin", > > "identity:revoke_grant": "rule:admin_or_proj_admin", > > "identity:list_role_assignments": "rule:admin_or_proj_admin", > > > > I'd started off with a smaller set (just the create_grant and > > revoke_grant) but added more access due to failures, but still not > > working. > > > > what I did: > > > > restarted keystone after editing policy.json (is this required?) > > > > # as admin user > > keystone user-role-add --user jon --role project_admin --tenant > test-group > > > > # as user 'jon' > > keystone --debug --os-tenant-name test-group user-role-add --user > > jon-test --role _member_ --tenant test-group > > DEBUG:keystoneclient.auth.identity.v2:Making authentication request to > > https://keystone:5001/v2.0/tokens > > INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone > > DEBUG:urllib3.connectionpool:Setting read timeout to 600.0 > > DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 4915 > > DEBUG:keystoneclient.session:REQ: curl -i -X GET > > https://keystone:35358/v2.0/users/jon-test -H "User-Agent: > > python-keystoneclient" -H "X-Auth-Token: <redacted>" > > INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone > > DEBUG:urllib3.connectionpool:Setting read timeout to 600.0 > > DEBUG:urllib3.connectionpool:"GET /v2.0/users/jon-test HTTP/1.1" 403 131 > > DEBUG:keystoneclient.session:RESP: > > DEBUG:keystoneclient.session:Request returned failure status: 403 > > You are not authorized to perform the requested action: admin_required > > (HTTP 403) > > > > am I tweaking the wrong rules or is something deeper in my way? > > > > Thanks, > > -Jon > > > > _______________________________________________ > > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > Post to : [email protected] > > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > _______________________________________________ > Mailing list: > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : [email protected] > Unsubscribe : > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > > >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
