Is it acceptable to adjust policy.json to allow non-root Savanna access to cinder?

asked 2014-02-25 12:59:52 -0600

itzgeoff gravatar image

updated 2014-02-27 16:47:37 -0600

smaffulli gravatar image

Within the 'demo' project/tentant (as the demo user created by RDO packstack) I was trying to configure a Savanna Node Group Template that made use of a Cinder Volume for the storage location:

image description

However, after clicking Create an error popup appeared and the template entry wasn't created. Digging into the /var/log/savanna/api.log I found the specifics of the error:

2014-02-25 09:40:15.335 7370 ERROR savanna.utils.api [-] Request aborted with status code 500 and message 'Error occurred during validation'
2014-02-25 09:40:15.337 7370 ERROR savanna.utils.api [-] Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/savanna/service/", line 37, in handler
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/", line 89, in check_node_group_template_create
    data['hadoop_version'], data)
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/", line 121, in check_node_group_basic_fields
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/", line 266, in check_cinder_exists
  File "/usr/lib/python2.6/site-packages/keystoneclient/", line 70, in func
    return f(*args, **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/", line 340, in list
  File "/usr/lib/python2.6/site-packages/keystoneclient/", line 110, in _list
    resp, body = self.client.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/", line 655, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/", line 651, in _cs_request
  File "/usr/lib/python2.6/site-packages/keystoneclient/", line 610, in request
  File "/usr/lib/python2.6/site-packages/keystoneclient/", line 124, in request
    raise exceptions.from_response(resp, method, url)
Forbidden: You are not authorized to perform the requested action, identity:list_services. (HTTP 403)

Is the following solution appropriate?

  • Create a new savanna_user role
  • Add the new role to the user 'demo'
  • Adjust the /etc/keystone/policy.json to allow that new role to perform the identity:list_services action

In detail:

[root@host keystone(keystone_admin)]# keystone role-create --name savanna_user
| Property |              Value               |
|    id    | f3fa42dacd5943cebaedd0c3207f37ed |
|   name   |           savanna_user           |

[root@host keystone(keystone_admin)]# keystone user-role-add --user demo --role savanna_user --tenant demo

Modified /etc/keystone/policy.json , according to diff:

--- policy.json.ORIG     2014-02-25 09:36:41.207569035 -0600
+++ /etc/keystone/policy.json     2014-02-24 17:17:00.097633512 -0600
@@ -1,14 +1,16 @@
     "admin_required": "role:admin or is_admin:1",
     "service_role": "role:service",
+    "savanna_role": "role:savanna_user",
     "service_or_admin": "rule:admin_required or rule:service_role",
     "owner" : "user_id:%(user_id)s",
     "admin_or_owner": "rule:admin_required or rule:owner",
+    "admin_or_savanna": "rule:admin_required or rule:savanna_role",

     "default": "rule:admin_required",

     "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
+    "identity:list_services": "rule:admin_or_savanna",
     "identity:create_service": "rule:admin_required",
     "identity:update_service": "rule:admin_required",
     "identity:delete_service": "rule:admin_required",

and then restart keystone:

[root@host keystone(keystone_admin)]# service openstack-keystone restart
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-03-03 23:07:35 -0600

SergeyLukjanov gravatar image


the common way is to create savanna user in service tenant with admin role in this tenant. As you can find, all services have such user in service tenant. Such user should be added only to the service tenant.

Anyway, list_services isn't the only op that we're doing with keystone, we're using trusts at least.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-02-25 12:59:52 -0600

Seen: 360 times

Last updated: Mar 03 '14