Ask Your Question
2

Is it acceptable to adjust policy.json to allow non-root Savanna access to cinder?

asked 2014-02-25 12:59:52 -0500

itzgeoff gravatar image

updated 2014-02-27 16:47:37 -0500

smaffulli gravatar image

Within the 'demo' project/tentant (as the demo user created by RDO packstack) I was trying to configure a Savanna Node Group Template that made use of a Cinder Volume for the storage location:

image description

However, after clicking Create an error popup appeared and the template entry wasn't created. Digging into the /var/log/savanna/api.log I found the specifics of the error:

2014-02-25 09:40:15.335 7370 ERROR savanna.utils.api [-] Request aborted with status code 500 and message 'Error occurred during validation'
2014-02-25 09:40:15.337 7370 ERROR savanna.utils.api [-] Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/savanna/service/validation.py", line 37, in handler
    validator(**kwargs)
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/node_group_templates.py", line 89, in check_node_group_template_create
    data['hadoop_version'], data)
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/base.py", line 121, in check_node_group_basic_fields
    check_cinder_exists()
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/base.py", line 266, in check_cinder_exists
    keystone.client().services.list()]
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 70, in func
    return f(*args, **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 340, in list
    self.collection_key)
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 110, in _list
    resp, body = self.client.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 655, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 651, in _cs_request
    **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 610, in request
    **request_kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 124, in request
    raise exceptions.from_response(resp, method, url)
Forbidden: You are not authorized to perform the requested action, identity:list_services. (HTTP 403)

Is the following solution appropriate?

  • Create a new savanna_user role
  • Add the new role to the user 'demo'
  • Adjust the /etc/keystone/policy.json to allow that new role to perform the identity:list_services action

In detail:

[root@host keystone(keystone_admin)]# keystone role-create --name savanna_user
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | f3fa42dacd5943cebaedd0c3207f37ed |
|   name   |           savanna_user           |
+----------+----------------------------------+

[root@host keystone(keystone_admin)]# keystone user-role-add --user demo --role savanna_user --tenant demo

Modified /etc/keystone/policy.json , according to diff:

--- policy.json.ORIG     2014-02-25 09:36:41.207569035 -0600
+++ /etc/keystone/policy.json     2014-02-24 17:17:00.097633512 -0600
@@ -1,14 +1,16 @@
 {
     "admin_required": "role:admin or is_admin:1",
     "service_role": "role:service",
+    "savanna_role": "role:savanna_user",
     "service_or_admin": "rule:admin_required or rule:service_role",
     "owner" : "user_id:%(user_id)s",
     "admin_or_owner": "rule:admin_required or rule:owner",
+    "admin_or_savanna": "rule:admin_required or rule:savanna_role",

     "default": "rule:admin_required",

     "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
+    "identity:list_services": "rule:admin_or_savanna",
     "identity:create_service": "rule:admin_required",
     "identity:update_service": "rule:admin_required",
     "identity:delete_service": "rule:admin_required",

and then restart keystone:

[root@host keystone(keystone_admin)]# service openstack-keystone restart
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2014-03-03 23:07:35 -0500

SergeyLukjanov gravatar image

Hey,

the common way is to create savanna user in service tenant with admin role in this tenant. As you can find, all services have such user in service tenant. Such user should be added only to the service tenant.

Anyway, list_services isn't the only op that we're doing with keystone, we're using trusts at least.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-02-25 12:59:52 -0500

Seen: 240 times

Last updated: Mar 03 '14