Ask Your Question

How to kwow if a given role id is the admin role?

asked 2014-03-18 04:22:10 -0500

A.Michon gravatar image

updated 2014-03-19 10:46:34 -0500

smaffulli gravatar image

Hi, seems trivial but... How to kwow if a given role id is the admin role ? Matching on the 'admin' string ? Is there a function to check this ?

I use the keystone_client so I can easily get the role name from the role_id. I prefer not to match strings "admin" and use the policy method as explained here : But the syntax is not as simple I tried something like this :

  credentials = {'roles':['admin']} is_admin = policy.check(credentials, 'admin_required', {})
edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2014-03-19 08:03:00 -0500

A.Michon gravatar image

I use this code (with default policy file):

credentials = {'roles':['admin']} 


    is_admin = policy.Enforcer().enforce('identity', 'admin_required', credentials) 


    is_admin = False
edit flag offensive delete link more

answered 2014-03-18 10:53:07 -0500

updated 2014-03-19 10:50:41 -0500

smaffulli gravatar image

You want to know which role name is treated as "admin" in keystone. There is no way to do this programatically unless we know the role name. In current default policy file it is defined as "admin_required": "role:admin or is_admin:1"," . So any role whose name is "admin" is admin role.

If someone defines "admin_required": "role:not_admin or is_admin:1"," in the deployed keystone policy file then the role name "not_admin" becomes admin role. Given a role id , you can get role name, but you can't say that the role name is admin in keystone unless you manually look at policy file definition. By convention the role with name "admin" is used as admin role.

To answer your question, use the rest-api to get the role details for the role-id or try keystone role-get/role-list to get the role name for the role id. In keystone role name is global uiqnue. You can assign any role to be an admin role.

edit flag offensive delete link more


Ok so...admin should NEVER rename admin role but it's possible in horizon dashboard .... Thanks for responding

A.Michon gravatar imageA.Michon ( 2014-03-19 03:42:44 -0500 )edit

answered 2014-03-18 05:29:30 -0500

9lives gravatar image

hmm, mebbe not the best way but this should do the check.

  1. create a user using keystone client
  2. create a tenant using keystone client
  3. assign the role_id for test to the user created in step1 and scoped with tenant created in step2.
  4. try to use this user to do user-list using keystone user-list if you can get the user-list you the role_id tested should be the admin role defined in the policy.json.

Hope that helps!


edit flag offensive delete link more


Thanks but It's an approach "catch exception coding" and I'd prefer call a method for example is_admin(role_id) -> True/False ...

A.Michon gravatar imageA.Michon ( 2014-03-18 08:25:30 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-03-18 04:22:10 -0500

Seen: 868 times

Last updated: Mar 19 '14