Re: [openstack-dev] [Keystone]: Help needed with RBAC policies
Also, you might need to change OS_AUTH_URL to /v3/ or to unversioned. Policy works only with v3 api. In v2 you are either admin or user, and there are no policies or roles. On 07/19/2016 10:08 PM, Boris Bobrov wrote: Hi, Try passing --os-identity-api-version=3 to `openstack`. Or set env variable OS_IDENTITY_API_VERSION=3. On 07/19/2016 09:56 PM, Nasim, Kam wrote: Hi folks, I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be enforced. As a quick test, I modified the identity:list_users policy to: "identity:list_users": "role:kam", There is no role called "kam" defined in my deployment so I would have expected this operation to fail. However: $ openstack --debug user list +--++ | ID | Name | +--++ | 3c1bd8c0f6324dcc938900d8eb801aa5 | admin | | 4b76763e375946998445b65b11c8db73 | ceilometer | | 15c8e1e463cc4370ad369eaf8504b727 | cinder | | 951068b3372f47ac827ade8f67cc19b4 | glance | | 2b62ced877244e74ba90b546225740d0 | heat | | 438a24497bc8448d9ac63bf05a005796 | kam| | 0b7af941da9b4896959f9258c6b498a0 | kam2 | | d1c4f7a244f74892b612b9b2ded6d602 | neutron| | 5c3ea23eb8e14070bc562951bb266073 | sysinv | +--++ $ cat myrc unset OS_SERVICE_TOKEN export OS_AUTH_URL=http://192.168.204.2:5000/v2.0 export OS_ENDPOINT_TYPE=publicURL export CINDER_ENDPOINT_TYPE=publicURL export OS_USERNAME=admin export OS_PASSWORD=admin export PS1='[\u@\h \W(keystone_admin)]\$ ' export OS_TENANT_NAME=admin export OS_REGION_NAME=RegionOne After getting the auth token, the client uses the adminURL endpoint to get the user list: curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9" Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC Thanks, Kam __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone]: Help needed with RBAC policies
Hi Kam, The first thing I'd do is ensure that you're editing the correct "in use" policy file ( /etc/keystone/policy.json , if it's a default devstack install ). Secondly, a good test would be to change the actual policy to "!" (deny all). If that still allows anyone but the service token to do the operation, something beyond your specific edits is wrong. The service token bypasses RBAC, but the admin accounts should not. Beyond editing the correct "in use" policy file, there should not be additional changes necessary to enable them. Tim From: "Nasim, Kam" <kam.na...@windriver.com<mailto:kam.na...@windriver.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Tuesday, July 19, 2016 at 11:56 AM To: "openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: [openstack-dev] [Keystone]: Help needed with RBAC policies Hi folks, I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be enforced. As a quick test, I modified the identity:list_users policy to: "identity:list_users": "role:kam", There is no role called "kam" defined in my deployment so I would have expected this operation to fail. However: $ openstack --debug user list +--++ | ID | Name | +--++ | 3c1bd8c0f6324dcc938900d8eb801aa5 | admin | | 4b76763e375946998445b65b11c8db73 | ceilometer | | 15c8e1e463cc4370ad369eaf8504b727 | cinder | | 951068b3372f47ac827ade8f67cc19b4 | glance | | 2b62ced877244e74ba90b546225740d0 | heat | | 438a24497bc8448d9ac63bf05a005796 | kam| | 0b7af941da9b4896959f9258c6b498a0 | kam2 | | d1c4f7a244f74892b612b9b2ded6d602 | neutron| | 5c3ea23eb8e14070bc562951bb266073 | sysinv | +--++ $ cat myrc unset OS_SERVICE_TOKEN export OS_AUTH_URL=http://192.168.204.2:5000/v2.0 export OS_ENDPOINT_TYPE=publicURL export CINDER_ENDPOINT_TYPE=publicURL export OS_USERNAME=admin export OS_PASSWORD=admin export PS1='[\u@\h \W(keystone_admin)]\$ ' export OS_TENANT_NAME=admin export OS_REGION_NAME=RegionOne After getting the auth token, the client uses the adminURL endpoint to get the user list: curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9" Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC Thanks, Kam __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone]: Help needed with RBAC policies
Hi, Try passing --os-identity-api-version=3 to `openstack`. Or set env variable OS_IDENTITY_API_VERSION=3. On 07/19/2016 09:56 PM, Nasim, Kam wrote: Hi folks, I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be enforced. As a quick test, I modified the identity:list_users policy to: "identity:list_users": "role:kam", There is no role called "kam" defined in my deployment so I would have expected this operation to fail. However: $ openstack --debug user list +--++ | ID | Name | +--++ | 3c1bd8c0f6324dcc938900d8eb801aa5 | admin | | 4b76763e375946998445b65b11c8db73 | ceilometer | | 15c8e1e463cc4370ad369eaf8504b727 | cinder | | 951068b3372f47ac827ade8f67cc19b4 | glance | | 2b62ced877244e74ba90b546225740d0 | heat | | 438a24497bc8448d9ac63bf05a005796 | kam| | 0b7af941da9b4896959f9258c6b498a0 | kam2 | | d1c4f7a244f74892b612b9b2ded6d602 | neutron| | 5c3ea23eb8e14070bc562951bb266073 | sysinv | +--++ $ cat myrc unset OS_SERVICE_TOKEN export OS_AUTH_URL=http://192.168.204.2:5000/v2.0 export OS_ENDPOINT_TYPE=publicURL export CINDER_ENDPOINT_TYPE=publicURL export OS_USERNAME=admin export OS_PASSWORD=admin export PS1='[\u@\h \W(keystone_admin)]\$ ' export OS_TENANT_NAME=admin export OS_REGION_NAME=RegionOne After getting the auth token, the client uses the adminURL endpoint to get the user list: curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9" Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC Thanks, Kam __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Keystone]: Help needed with RBAC policies
Hi folks, I have been trying to modify the default RBAC policies in keystone/policy.json however my policy changes don't seem to be enforced. As a quick test, I modified the identity:list_users policy to: "identity:list_users": "role:kam", There is no role called "kam" defined in my deployment so I would have expected this operation to fail. However: $ openstack --debug user list +--++ | ID | Name | +--++ | 3c1bd8c0f6324dcc938900d8eb801aa5 | admin | | 4b76763e375946998445b65b11c8db73 | ceilometer | | 15c8e1e463cc4370ad369eaf8504b727 | cinder | | 951068b3372f47ac827ade8f67cc19b4 | glance | | 2b62ced877244e74ba90b546225740d0 | heat | | 438a24497bc8448d9ac63bf05a005796 | kam| | 0b7af941da9b4896959f9258c6b498a0 | kam2 | | d1c4f7a244f74892b612b9b2ded6d602 | neutron| | 5c3ea23eb8e14070bc562951bb266073 | sysinv | +--++ $ cat myrc unset OS_SERVICE_TOKEN export OS_AUTH_URL=http://192.168.204.2:5000/v2.0 export OS_ENDPOINT_TYPE=publicURL export CINDER_ENDPOINT_TYPE=publicURL export OS_USERNAME=admin export OS_PASSWORD=admin export PS1='[\u@\h \W(keystone_admin)]\$ ' export OS_TENANT_NAME=admin export OS_REGION_NAME=RegionOne After getting the auth token, the client uses the adminURL endpoint to get the user list: curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9" Is there something I am missing here? Some specific configuration to enable RBAC? Do admin URL ops bypass RBAC Thanks, Kam __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev