Ask Your Question
0

How to kwow if a given role id is the admin role?

asked 2014-03-18 04:22:10 -0600

A.Michon gravatar image

updated 2014-03-19 10:46:34 -0600

smaffulli gravatar image

Hi, seems trivial but... How to kwow if a given role id is the admin role ? Matching on the 'admin' string ? Is there a function to check this ?

I use the keystone_client so I can easily get the role name from the role_id. I prefer not to match strings "admin" and use the policy method as explained here : http://docs.openstack.org/developer/h... But the syntax is not as simple I tried something like this : 

  credentials = {'roles':['admin']} is_admin = policy.check(credentials, 'admin_required', {})
edit retag flag offensive close merge delete
add a comment

3 answers

Sort by ยป oldest newest most voted
0

answered 2014-03-19 08:03:00 -0600

A.Michon gravatar image

I use this code (with default policy file): 

credentials = {'roles':['admin']} 

try: 

    is_admin = policy.Enforcer().enforce('identity', 'admin_required', credentials) 

except: 

    is_admin = False
edit flag offensive delete link more
add a comment
3

answered 2014-03-18 10:53:07 -0600

Haneef Ali gravatar image

updated 2014-03-19 10:50:41 -0600

smaffulli gravatar image

You want to know which role name is treated as "admin" in keystone. There is no way to do this programatically unless we know the role name. In current default policy file it is defined as "admin_required": "role:admin or is_admin:1"," . So any role whose name is "admin" is admin role.

If someone defines "admin_required": "role:not_admin or is_admin:1"," in the deployed keystone policy file then the role name "not_admin" becomes admin role. Given a role id , you can get role name, but you can't say that the role name is admin in keystone unless you manually look at policy file definition. By convention the role with name "admin" is used as admin role.

To answer your question, use the rest-api to get the role details for the role-id or try keystone role-get/role-list to get the role name for the role id. In keystone role name is global uiqnue. You can assign any role to be an admin role.

edit flag offensive delete link more

Comments

Ok so...admin should NEVER rename admin role but it's possible in horizon dashboard .... Thanks for responding

A.Michon gravatar imageA.Michon ( 2014-03-19 03:42:44 -0600 )edit
add a comment
0

answered 2014-03-18 05:29:30 -0600

9lives gravatar image

hmm, mebbe not the best way but this should do the check.

  1. create a user using keystone client
  2. create a tenant using keystone client
  3. assign the role_id for test to the user created in step1 and scoped with tenant created in step2.
  4. try to use this user to do user-list using keystone user-list if you can get the user-list you the role_id tested should be the admin role defined in the policy.json.

Hope that helps!

Vic

edit flag offensive delete link more

Comments

Thanks but It's an approach "catch exception coding" and I'd prefer call a method for example is_admin(role_id) -> True/False ...

A.Michon gravatar imageA.Michon ( 2014-03-18 08:25:30 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2014-03-18 04:22:10 -0600

Seen: 784 times

Last updated: Mar 19 '14

Related questions

Project specific admin unable to list users or use horizon

keystone ssl certificate expires after one year

Need clarification on creation of V3 credentials

cinder list ERROR: Unauthorized (HTTP 401)

Keystone: different domain to control access

keystone user-role-add - Usage error

Keystone LDAP configuration

Liberty: The request you have made requires authentication. (HTTP 401)

keystone v3 project user list

What is the major difference between keystone v2 and v3? [closed]