Ask Your Question
0

How to kwow if a given role id is the admin role?

asked 2014-03-18 04:22:10 -0500

A.Michon gravatar image

updated 2014-03-19 10:46:34 -0500

smaffulli gravatar image

Hi, seems trivial but... How to kwow if a given role id is the admin role ? Matching on the 'admin' string ? Is there a function to check this ?

I use the keystone_client so I can easily get the role name from the role_id. I prefer not to match strings "admin" and use the policy method as explained here : http://docs.openstack.org/developer/h... But the syntax is not as simple I tried something like this :

  credentials = {'roles':['admin']} is_admin = policy.check(credentials, 'admin_required', {})
edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted
0

answered 2014-03-19 08:03:00 -0500

A.Michon gravatar image

I use this code (with default policy file):

credentials = {'roles':['admin']} 

try: 

    is_admin = policy.Enforcer().enforce('identity', 'admin_required', credentials) 

except: 

    is_admin = False
edit flag offensive delete link more
3

answered 2014-03-18 10:53:07 -0500

updated 2014-03-19 10:50:41 -0500

smaffulli gravatar image

You want to know which role name is treated as "admin" in keystone. There is no way to do this programatically unless we know the role name. In current default policy file it is defined as "admin_required": "role:admin or is_admin:1"," . So any role whose name is "admin" is admin role.

If someone defines "admin_required": "role:not_admin or is_admin:1"," in the deployed keystone policy file then the role name "not_admin" becomes admin role. Given a role id , you can get role name, but you can't say that the role name is admin in keystone unless you manually look at policy file definition. By convention the role with name "admin" is used as admin role.

To answer your question, use the rest-api to get the role details for the role-id or try keystone role-get/role-list to get the role name for the role id. In keystone role name is global uiqnue. You can assign any role to be an admin role.

edit flag offensive delete link more

Comments

Ok so...admin should NEVER rename admin role but it's possible in horizon dashboard .... Thanks for responding

A.Michon gravatar imageA.Michon ( 2014-03-19 03:42:44 -0500 )edit
0

answered 2014-03-18 05:29:30 -0500

9lives gravatar image

hmm, mebbe not the best way but this should do the check.

  1. create a user using keystone client
  2. create a tenant using keystone client
  3. assign the role_id for test to the user created in step1 and scoped with tenant created in step2.
  4. try to use this user to do user-list using keystone user-list if you can get the user-list you the role_id tested should be the admin role defined in the policy.json.

Hope that helps!

Vic

edit flag offensive delete link more

Comments

Thanks but It's an approach "catch exception coding" and I'd prefer call a method for example is_admin(role_id) -> True/False ...

A.Michon gravatar imageA.Michon ( 2014-03-18 08:25:30 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-03-18 04:22:10 -0500

Seen: 791 times

Last updated: Mar 19 '14