Is it acceptable to adjust policy.json to allow non-root Savanna access to cinder?
Within the 'demo' project/tentant (as the demo user created by RDO packstack) I was trying to configure a Savanna Node Group Template that made use of a Cinder Volume for the storage location:
However, after clicking Create an error popup appeared and the template entry wasn't created. Digging into the /var/log/savanna/api.log I found the specifics of the error:
2014-02-25 09:40:15.335 7370 ERROR savanna.utils.api [-] Request aborted with status code 500 and message 'Error occurred during validation'
2014-02-25 09:40:15.337 7370 ERROR savanna.utils.api [-] Traceback (most recent call last):
File "/usr/lib/python2.6/site-packages/savanna/service/validation.py", line 37, in handler
validator(**kwargs)
File "/usr/lib/python2.6/site-packages/savanna/service/validations/node_group_templates.py", line 89, in check_node_group_template_create
data['hadoop_version'], data)
File "/usr/lib/python2.6/site-packages/savanna/service/validations/base.py", line 121, in check_node_group_basic_fields
check_cinder_exists()
File "/usr/lib/python2.6/site-packages/savanna/service/validations/base.py", line 266, in check_cinder_exists
keystone.client().services.list()]
File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 70, in func
return f(*args, **kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 340, in list
self.collection_key)
File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 110, in _list
resp, body = self.client.get(url)
File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 655, in get
return self._cs_request(url, 'GET', **kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 651, in _cs_request
**kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 610, in request
**request_kwargs)
File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 124, in request
raise exceptions.from_response(resp, method, url)
Forbidden: You are not authorized to perform the requested action, identity:list_services. (HTTP 403)
Is the following solution appropriate?
- Create a new savanna_user role
- Add the new role to the user 'demo'
- Adjust the /etc/keystone/policy.json to allow that new role to perform the identity:list_services action
In detail:
[root@host keystone(keystone_admin)]# keystone role-create --name savanna_user
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | f3fa42dacd5943cebaedd0c3207f37ed |
| name | savanna_user |
+----------+----------------------------------+
[root@host keystone(keystone_admin)]# keystone user-role-add --user demo --role savanna_user --tenant demo
Modified /etc/keystone/policy.json , according to diff:
--- policy.json.ORIG 2014-02-25 09:36:41.207569035 -0600
+++ /etc/keystone/policy.json 2014-02-24 17:17:00.097633512 -0600
@@ -1,14 +1,16 @@
{
"admin_required": "role:admin or is_admin:1",
"service_role": "role:service",
+ "savanna_role": "role:savanna_user",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s",
"admin_or_owner": "rule:admin_required or rule:owner",
+ "admin_or_savanna": "rule:admin_required or rule:savanna_role",
"default": "rule:admin_required",
"identity:get_service": "rule:admin_required",
- "identity:list_services": "rule:admin_required",
+ "identity:list_services": "rule:admin_or_savanna",
"identity:create_service": "rule:admin_required",
"identity:update_service": "rule:admin_required",
"identity:delete_service": "rule:admin_required",
and then restart keystone:
[root@host keystone(keystone_admin)]# service openstack-keystone restart