Default Keystone_Policy.json not working properly

asked 2020-08-19 00:37:41 -0600

a-ridley gravatar image

The admin user is not able to see anything in the Identity tab when logged into the horizon dashboard. The Identity > Users, Identity > Projects, Identity > Roles tabs etc are all missing.

I have not written any custom policies. I have only generated the default policy using the oslopolicy generator.

The keystone_policy.json file has many rules that usually require a (role:reader and system_scope:all). Some rules require (role:admin or system:scope:all).

I have checked my admin role and it does have a system scope all role which means I should meet the rule (role:admin or System_Scope:all). So either there is an issue with keystones default policy.json files or I am not understanding how to get it to work.

Here are some commands I ran to see what is going on with my default admin role:

When running the following command:

openstack role assignment list --name

The result is a table that shows:

Role:     User:                   Group:   Project:   Domain:   System:   Inehrited:
admin   admin@Default                                                     all            False

I run the following command to generate the default keystone_policy.json file.
oslopolicy-policy-generator --namespace keystone --output-file keystone_policy.json

This policy file is then copied over to /usr/share/openstack-dashboard/openstack_dashboard/conf/ which is where, according to , all of the services policy.json files are looked for in order to apply them to the Horizon dashboard.

Any insight on where I could possibly fix this issue and get keystone policy to function properly would be greatly appreciated.

Release: Train
Using Identity V3

Thank you!

edit retag flag offensive close merge delete


I just tried that generator also in Train and the file is not in valid json format. Can you share the first couple of lines to confirm?

eblock gravatar imageeblock ( 2020-08-19 03:25:36 -0600 )edit

`"identity:delete_project": "(role:admin and system_scope:all) or (role:admin and domain_id:%(target.project.domain_id)s)"

"identity:list_revoke_events": "rule:service_or_admin" "identity:revoke_system_grant_for_group": "role:admin and system_scope:all"

You are right, not vaild json.

a-ridley gravatar imagea-ridley ( 2020-08-19 22:56:30 -0600 )edit

It is missing the curly brackets and commas to make it valid json. However, it picks up on the rules because if I remove the system_scope:all. for the list_users rule I am able to see the list of users when signing into horizon.

a-ridley gravatar imagea-ridley ( 2020-08-19 22:58:31 -0600 )edit

Oh that's interesting, maybe it doesn't need a valid json format but only the rules? I don't know.

eblock gravatar imageeblock ( 2020-08-20 01:38:10 -0600 )edit

YAML format has been allowed for a while.

zaneb gravatar imagezaneb ( 2020-08-20 09:52:59 -0600 )edit

1 answer

Sort by » oldest newest most voted

answered 2020-08-24 22:25:28 -0600

a-ridley gravatar image

updated 2020-08-24 22:53:59 -0600

So it looks like yaml files may not be working properly in the Train release. The oslopolicy-policy-generator --namespace keystone --output-file keystone_policy.json command generates a file ending in .json but looks like yaml snytax. When placed in the /usr/share/openstack-dashboard/openstack_dashboard/conf folder the policy file isnt applied correctly.

The following command is what finally fixed all of my issues with policy files:
oslopolicy-policy-upgrade \
--config-file /etc/keystone/keystone.conf \
--format json --namespace keystone \
--output-file keystone_policy_2.json \
--policy keystone_policy.json

When checking /var/log/keystone/keystone.log the following message was noticed:
Deprecated policy rules found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect and resolve deprecated policies in your configuration. That is what prompted the use of oslopolicy-policy-upgrade

Also made sure that /openstack_dashboard/ said the following:

'identity': 'keystone_policy.json',
'compute': 'nova_policy.json',
'volume': 'cinder_policy.json',
'image': 'glance_policy.json',
'network': 'neutron_policy.json',

I want to point out that those two different commands ouputed two different keystone_policy.json files. The first command has a lot of mention about system_scope:all and the second command has simpler rules like: "identity:list_users_in_group": "rule:admin_required". So maybe this had to do with using IdentityV3 vs V2?

That much I am not sure. But I am glad permissions are being applied correctly.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2020-08-19 00:37:41 -0600

Seen: 109 times

Last updated: Aug 24 '20