Can't implement any rules in policy.json in ceilometer

asked 2014-04-14 10:07:35 -0500

sampath gravatar image

updated 2014-04-29 12:36:58 -0500

Hi, I tried to setup keystone v3 api for ceilometer for use the Domains Groups. First, set the auth version to v3, In ceilometer.conf [keystone_authtoken] ...skip other settings auth_version=v3.0

In the ceilometer-api.logs, INFO keystoneclient.middleware.auth_token [-] Auth Token proceeding with requested v3.0 apis

looks OK. Then, Fisrt create few domains and users, Here is the implemented domain and user mode https://drive.google.com/file/d/0B9g3E1OvcNwMMEFtUEV3bWtfYzQ/edit?usp=sharing (https://drive.google.com/file/d/0B9g3...)

Then create some users for each domain and assign admin role to users names with *_admin. Let’s look at the roles assign to user dom1_admin. He has an admin role to Domain1 and member of an admin_domain.

Let’s take a one example. User dom1_admin not supposed to have any authority in “Default” domain, because he is not an admin or a member of that domain. However, he is an admin (role_id: 35f042ed911e49a5948e427de854a0b0) of Domain1.

Let's try to delete some alarms belonging to admin in Default domain, demo project. Let’s see what alarms are set in the by admin in Default domain, demo project,

ceilometer alarm-list
    +--------------------------------------+-----------+-------------------+---------+------------+---------------------------------+
| Alarm ID                             | Name      | State             | Enabled | Continuous | Alarm condition                 |
+--------------------------------------+-----------+-------------------+---------+------------+---------------------------------+
| 662747c4-01c5-4c08-87cd-b80f84b5ed3a | cpu_at_50 | insufficient data | True    | False      | cpu_temp > 50.0 during 3 x 600s |
| 91d7e56b-bdf1-4147-80a8-f5d6b4e82f4b | cpu_at_70 | insufficient data | True    | False      | cpu_temp > 70.0 during 3 x 600s |
| b25154eb-736d-4fce-a08d-8158e4feb76d | cpu_at_60 | insufficient data | True    | False      | cpu_temp > 60.0 during 3 x 600s |
| d7301ef0-89b0-4f7b-bac5-320c969d5528 | cpu_high  | insufficient data | True    | False      | cpu_temp > 80.0 during 3 x 600s |
+--------------------------------------+-----------+-------------------+---------+------------+---------------------------------+

Next, dom1_admin try to delete some alarm,

    curl -si -X DELETE -H "X-Auth-Token: d1cd3e227da941e092c2d3b62cd576e3" -H "Content-Type: application/json" http://192.168.11.4:8777/v2/alarms/d7301ef0-89b0-4f7b-bac5-320c969d5528
HTTP/1.0 204 No Content
Date: Tue, 29 Apr 2014 16:37:20 GMT
Server: WSGIServer/0.1 Python/2.7.5+
Content-Length: 0

Reply was “HTTP/1.0 204 No Content”. Let’s check again the alarm list set by admin in Default domain, demo project.

 ceilometer alarm-list
+--------------------------------------+-----------+-------------------+---------+------------+---------------------------------+
| Alarm ID                             | Name      | State             | Enabled | Continuous | Alarm condition                 |
+--------------------------------------+-----------+-------------------+---------+------------+---------------------------------+
| 662747c4-01c5-4c08-87cd-b80f84b5ed3a | cpu_at_50 | insufficient data | True    | False      | cpu_temp > 50.0 during 3 x 600s |
| 91d7e56b-bdf1-4147-80a8-f5d6b4e82f4b | cpu_at_70 | insufficient data | True    | False      | cpu_temp > 70.0 during 3 x 600s |
| b25154eb-736d-4fce-a08d-8158e4feb76d | cpu_at_60 | insufficient data | True    | False      | cpu_temp > 60.0 during 3 x 600s |
+--------------------------------------+-----------+-------------------+---------+------------+---------------------------------+

Well, successfully deleted the alarms by another admin (dom1_admin).

The problem is, policy.json only check whether the role is admin or not. To my best understanding, you can’t set any rules other than, "context_is_admin": [["role:admin"]]. In ceilometer/api/acl.py get_limited_to_project called for check the admin role when ever the check is needed.

What I wanted to do is manage the ceilometer object with keystone domain concept. User can only CURD the things in project and or domain if thy have the auth.

edit retag flag offensive close merge delete