Re: [openstack-dev] [Keystone]: Help needed with RBAC policies
Also, you might need to change OS_AUTH_URL to /v3/ or to unversioned.
Policy works only with v3 api. In v2 you are either admin or user, and
there are no policies or roles.
On 07/19/2016 10:08 PM, Boris Bobrov wrote:
Hi,
Try passing --os-identity-api-version=3 to `openstack`. Or set env
variable OS_IDENTITY_API_VERSION=3.
On 07/19/2016 09:56 PM, Nasim, Kam wrote:
Hi folks,
I have been trying to modify the default RBAC policies in
keystone/policy.json however my policy changes don't seem to be enforced.
As a quick test, I modified the identity:list_users policy to:
"identity:list_users": "role:kam",
There is no role called "kam" defined in my deployment so I would have
expected this operation to fail.
However:
$ openstack --debug user list
+--++
| ID | Name |
+--++
| 3c1bd8c0f6324dcc938900d8eb801aa5 | admin |
| 4b76763e375946998445b65b11c8db73 | ceilometer |
| 15c8e1e463cc4370ad369eaf8504b727 | cinder |
| 951068b3372f47ac827ade8f67cc19b4 | glance |
| 2b62ced877244e74ba90b546225740d0 | heat |
| 438a24497bc8448d9ac63bf05a005796 | kam|
| 0b7af941da9b4896959f9258c6b498a0 | kam2 |
| d1c4f7a244f74892b612b9b2ded6d602 | neutron|
| 5c3ea23eb8e14070bc562951bb266073 | sysinv |
+--++
$ cat myrc
unset OS_SERVICE_TOKEN
export OS_AUTH_URL=http://192.168.204.2:5000/v2.0
export OS_ENDPOINT_TYPE=publicURL
export CINDER_ENDPOINT_TYPE=publicURL
export OS_USERNAME=admin
export OS_PASSWORD=admin
export PS1='[\u@\h \W(keystone_admin)]\$ '
export OS_TENANT_NAME=admin
export OS_REGION_NAME=RegionOne
After getting the auth token, the client uses the adminURL endpoint to
get the user list:
curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H
"User-Agent: python-keystoneclient" -H "Accept: application/json" -H
"X-Auth-Token: {SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9"
Is there something I am missing here? Some specific configuration to
enable RBAC? Do admin URL ops bypass RBAC
Thanks,
Kam
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone]: Help needed with RBAC policies
Hi Kam,
The first thing I'd do is ensure that you're editing the correct "in use"
policy file ( /etc/keystone/policy.json , if it's a default devstack install ).
Secondly, a good test would be to change the actual policy to "!" (deny all).
If that still allows anyone but the service token to do the operation,
something beyond your specific edits is wrong.
The service token bypasses RBAC, but the admin accounts should not. Beyond
editing the correct "in use" policy file, there should not be additional
changes necessary to enable them.
Tim
From: "Nasim, Kam" <kam.na...@windriver.com<mailto:kam.na...@windriver.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)"
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Date: Tuesday, July 19, 2016 at 11:56 AM
To:
"openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>"
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Subject: [openstack-dev] [Keystone]: Help needed with RBAC policies
Hi folks,
I have been trying to modify the default RBAC policies in keystone/policy.json
however my policy changes don't seem to be enforced.
As a quick test, I modified the identity:list_users policy to:
"identity:list_users": "role:kam",
There is no role called "kam" defined in my deployment so I would have expected
this operation to fail.
However:
$ openstack --debug user list
+--++
| ID | Name |
+--++
| 3c1bd8c0f6324dcc938900d8eb801aa5 | admin |
| 4b76763e375946998445b65b11c8db73 | ceilometer |
| 15c8e1e463cc4370ad369eaf8504b727 | cinder |
| 951068b3372f47ac827ade8f67cc19b4 | glance |
| 2b62ced877244e74ba90b546225740d0 | heat |
| 438a24497bc8448d9ac63bf05a005796 | kam|
| 0b7af941da9b4896959f9258c6b498a0 | kam2 |
| d1c4f7a244f74892b612b9b2ded6d602 | neutron|
| 5c3ea23eb8e14070bc562951bb266073 | sysinv |
+--++
$ cat myrc
unset OS_SERVICE_TOKEN
export OS_AUTH_URL=http://192.168.204.2:5000/v2.0
export OS_ENDPOINT_TYPE=publicURL
export CINDER_ENDPOINT_TYPE=publicURL
export OS_USERNAME=admin
export OS_PASSWORD=admin
export PS1='[\u@\h \W(keystone_admin)]\$ '
export OS_TENANT_NAME=admin
export OS_REGION_NAME=RegionOne
After getting the auth token, the client uses the adminURL endpoint to get the
user list:
curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent:
python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token:
{SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9"
Is there something I am missing here? Some specific configuration to enable
RBAC? Do admin URL ops bypass RBAC
Thanks,
Kam
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone]: Help needed with RBAC policies
Hi,
Try passing --os-identity-api-version=3 to `openstack`. Or set env
variable OS_IDENTITY_API_VERSION=3.
On 07/19/2016 09:56 PM, Nasim, Kam wrote:
Hi folks,
I have been trying to modify the default RBAC policies in keystone/policy.json
however my policy changes don't seem to be enforced.
As a quick test, I modified the identity:list_users policy to:
"identity:list_users": "role:kam",
There is no role called "kam" defined in my deployment so I would have expected
this operation to fail.
However:
$ openstack --debug user list
+--++
| ID | Name |
+--++
| 3c1bd8c0f6324dcc938900d8eb801aa5 | admin |
| 4b76763e375946998445b65b11c8db73 | ceilometer |
| 15c8e1e463cc4370ad369eaf8504b727 | cinder |
| 951068b3372f47ac827ade8f67cc19b4 | glance |
| 2b62ced877244e74ba90b546225740d0 | heat |
| 438a24497bc8448d9ac63bf05a005796 | kam|
| 0b7af941da9b4896959f9258c6b498a0 | kam2 |
| d1c4f7a244f74892b612b9b2ded6d602 | neutron|
| 5c3ea23eb8e14070bc562951bb266073 | sysinv |
+--++
$ cat myrc
unset OS_SERVICE_TOKEN
export OS_AUTH_URL=http://192.168.204.2:5000/v2.0
export OS_ENDPOINT_TYPE=publicURL
export CINDER_ENDPOINT_TYPE=publicURL
export OS_USERNAME=admin
export OS_PASSWORD=admin
export PS1='[\u@\h \W(keystone_admin)]\$ '
export OS_TENANT_NAME=admin
export OS_REGION_NAME=RegionOne
After getting the auth token, the client uses the adminURL endpoint to get the
user list:
curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent: python-keystoneclient" -H
"Accept: application/json" -H "X-Auth-Token:
{SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9"
Is there something I am missing here? Some specific configuration to enable
RBAC? Do admin URL ops bypass RBAC
Thanks,
Kam
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Keystone]: Help needed with RBAC policies
Hi folks,
I have been trying to modify the default RBAC policies in keystone/policy.json
however my policy changes don't seem to be enforced.
As a quick test, I modified the identity:list_users policy to:
"identity:list_users": "role:kam",
There is no role called "kam" defined in my deployment so I would have expected
this operation to fail.
However:
$ openstack --debug user list
+--++
| ID | Name |
+--++
| 3c1bd8c0f6324dcc938900d8eb801aa5 | admin |
| 4b76763e375946998445b65b11c8db73 | ceilometer |
| 15c8e1e463cc4370ad369eaf8504b727 | cinder |
| 951068b3372f47ac827ade8f67cc19b4 | glance |
| 2b62ced877244e74ba90b546225740d0 | heat |
| 438a24497bc8448d9ac63bf05a005796 | kam|
| 0b7af941da9b4896959f9258c6b498a0 | kam2 |
| d1c4f7a244f74892b612b9b2ded6d602 | neutron|
| 5c3ea23eb8e14070bc562951bb266073 | sysinv |
+--++
$ cat myrc
unset OS_SERVICE_TOKEN
export OS_AUTH_URL=http://192.168.204.2:5000/v2.0
export OS_ENDPOINT_TYPE=publicURL
export CINDER_ENDPOINT_TYPE=publicURL
export OS_USERNAME=admin
export OS_PASSWORD=admin
export PS1='[\u@\h \W(keystone_admin)]\$ '
export OS_TENANT_NAME=admin
export OS_REGION_NAME=RegionOne
After getting the auth token, the client uses the adminURL endpoint to get the
user list:
curl -g -i -X GET http://192.168.204.2:35357/v2.0/users -H "User-Agent:
python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token:
{SHA1}75002edfff1eb6751b3425d9d247ac3212e750f9"
Is there something I am missing here? Some specific configuration to enable
RBAC? Do admin URL ops bypass RBAC
Thanks,
Kam
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
