[Openstack] Role inheritance in keystone

Sun, 30 Oct 2016 09:43:59 -0700 

I've just read

http://developer.openstack.org/api-ref/identity/v3-ext/inherit.html
and I think I understand it, but can't put it into practice. I have a user with a role on a domain, and a project in that domain, but I see no evidence that the role assignment is inherited by the project. Am I missing some extra 'enable inheritance' config? Or does inheritance explicitly not work for the 'default' project?
I'm running Openstack Liberty; My entire workflow is attached, below. Hopefully there's an obvious mistake! 

Thank you!

-Andrew



$export OS_USERNAME="novaadmin"
$export OS_PROJECT_DOMAIN_ID="default"
$export OS_USER_DOMAIN_ID="default"
$export OS_PASSWORD="<redacted>"
$export OS_AUTH_URL="http://<redacted>:35357/v3"
$export OS_REGION_NAME="codfw"
$export OS_NO_CACHE=1
$export OS_IDENTITY_API_VERSION=3

$ curl $OS_AUTH_URL
{"version": {"status": "stable", "updated": "2015-03-30T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.4", "links": [{"href": "http://labtestcontrol2001.wikimedia.org:35357/v3/";, "rel": "self"}]}} 

$ Conclusion:  running keystone api 3.4

$ openstack project show emptytestproject
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description |                                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 23c3fe708cb44c4db3144c3763b2c96c |
| is_domain   | False                            |
| name        | emptytestproject                 |
| parent_id   | None                             |
+-------------+----------------------------------+

$ openstack domain list
+---------+---------+---------+----------------------------------------------------------------------+
| ID      | Name    | Enabled | Description |
+---------+---------+---------+----------------------------------------------------------------------+
| default | Default | True | Owns users and tenants (i.e. projects) available on Identity API v2. | 
+---------+---------+---------+----------------------------------------------------------------------+

$ # Conclusion: 'emptytestproject' is in domain 'default.'

$ openstack role assignment list --domain default --user novaadmin
+----------------------------------+-----------+-------+---------+---------+-----------+
| Role | User | Group | Project | Domain | Inherited | 
+----------------------------------+-----------+-------+---------+---------+-----------+
| 8284c7e1155a464c818cf1eacf008c23 | novaadmin | | | default | False | | cb17fb40e2ef4cdd99956cd771b1799a | novaadmin | | | default | False | 
+----------------------------------+-----------+-------+---------+---------+-----------+

$ openstack role list
+----------------------------------+--------------+
| ID                               | Name         |
+----------------------------------+--------------+
| 8284c7e1155a464c818cf1eacf008c23 | user         |
| 8e86568d85984eda8ff44532f99e9304 | admin        |
| cb17fb40e2ef4cdd99956cd771b1799a | projectadmin |
| eb3fb807ab684f3d9fa77eed65bc0817 | glanceadmin  |
+----------------------------------+--------------+
$ # Conclusion: user 'novaadmin' has roles 'projectadmin' and 'user' on domain 'default.'
$ # expected: user 'novaadmin' should have those two inherited roles in 'emptytestproject' 

$ openstack role assignment list --project emptytestproject --user novaadmin

$ # nope, no roles.
$ # expected: user 'novaadmin' should be able to list servers in emptytestproject 

$ OS_TENANT_NAME=emptytestproject openstack server list
The request you have made requires authentication. (HTTP 401) (Request-ID: req-5b173b30-1cdc-4d30-b1d1-41558dd0cd26) 

$ # nope!



$ # ==================================================================
$ # policy doublecheck
$ # ==================================================================

$ openstack role assignment list --project labtestproject --user novaadmin
+----------------------------------+-----------+-------+----------------+--------+-----------+
| Role | User | Group | Project | Domain | Inherited | 
+----------------------------------+-----------+-------+----------------+--------+-----------+
| 8284c7e1155a464c818cf1eacf008c23 | novaadmin | | labtestproject | | False | | cb17fb40e2ef4cdd99956cd771b1799a | novaadmin | | labtestproject | | False | 
+----------------------------------+-----------+-------+----------------+--------+-----------+

$ OS_TENANT_NAME=labtestproject openstack server list
+--------------------------------------+-------------------+---------+---------------------------------+
| ID | Name | Status | Networks | 
+--------------------------------------+-------------------+---------+---------------------------------+
| dd3dd963-c78f-4c68-801a-6bdada4b2c35 | puppetless | SHUTOFF | public=10.196.16.71 | | 12d4fe67-7da2-4c28-8c33-bff64b06bff5 | eightpointfive | SHUTOFF | public=10.196.16.70 | | 932b8e24-e3ac-44ed-a0a5-035ab3c69869 | rnds-test-104 | SHUTOFF | public=10.196.16.40 | | 991ba7b0-0b1a-4843-ba85-4a5ae5f72ce6 | spice-test-101 | SHUTOFF | public=10.196.16.17 | | 93139bfd-51f6-4796-b3ec-0ac971f1d24e | libvirt-test-101 | SHUTOFF | public=10.196.16.16 | | 1d28d0e3-8dea-4cce-9bd4-a999a43ebea3 | network-tests-101 | SHUTOFF | public=10.196.16.2, 10.196.17.1 | 
+--------------------------------------+-------------------+---------+---------------------------------+

$ # Yep, policy allows user with projectadmin role to list servers.

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to