Ask Your Question

How to list all available permissions/roles available for users?

asked 2014-06-25 16:47:52 -0500

ADOUANI RIADH gravatar image

updated 2014-06-26 10:47:36 -0500

smaffulli gravatar image

Good evening. Can someone help me to understand the "Rules" in policy.json for each service? for example

"identity:create_policy": [["rule:admin_required"]],
"identity:update_policy": [["rule:admin_required"]],
"identity:delete_policy": [["rule:admin_required"]],

how can i execute this command in keystone? i mean create_policy or update_policy or delete_policy

In fact, my goal is to list all possible permissions for a user on a service like keystone, nova, glance. I ran this command but unfortunately it returns an empty list of rules.

curl -i -X GET -H "User-Agent: python-keystone" -H "X-Auth-Token:$MYTOKEN"

and the result is

HTTP/1.1 200 OK
Vary: X-Auth-Token
Content-Type: application/json
Content-Length: 109
Date: Thu, 26 Jun 2014 15:10:08 GMT

{"links": {"self": "", "previous": null, "next": null}, "policies": []}

so what i would to know is :

  • Is there a method that lists the permissions in the file policy.json for each service?
  • Why the above command returns an empty list of permissions?
edit retag flag offensive close merge delete


Since this site is not suitable as a forum, I have edited your question with the details you provided in the answer below. I think that now it's more clear; get familiar with

smaffulli gravatar imagesmaffulli ( 2014-06-26 10:48:52 -0500 )edit

ok thanks but you have merged two different situations thanks anyway

ADOUANI RIADH gravatar imageADOUANI RIADH ( 2014-06-26 10:59:37 -0500 )edit

If you think the question is not clear, then please edit it at your will and make it "one question" that people can answer with "one answer": this is the best way to use this site. Open ended questions are likely to be downvoted or closed

smaffulli gravatar imagesmaffulli ( 2014-06-26 11:07:22 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2014-06-25 18:11:59 -0500

updated 2014-06-26 13:20:21 -0500

create_policy  maps to    POST /v3/policy  API
update_policy  maps to   PUT /v3/policy     API
delete_ policy  maps to   DELETE /v3/policy  API

You can execute this command by using curl. Current implementation of policy api doesn't have any relation with the policy file. What do you want to do?

Update 1

As I said before, original intent was to load custom policy file and manipulate them via Policy API. But the policy API is not used. So for all practical reason you can ignore the policy api. To list all the available roles, use kestone role-list , this should list all the available roles To list all the avaialble roles for the user use keystone user-role-list Glance/nova can any have only the roles listed by keystone role-list You can only have roles granted. What that role is supposed to do, is upto the service. e.g nova can consdier "admin" role as administrator and glnace may not even consdier that role. No there is no method to list, the permission granted for each role in an service. Policy files for a service is controlled and managed by each service. Keyone doesn't manage them

edit flag offensive delete link more


Thank you. As I said before; I did not need to have user roles. I need to have the permissions granted to these roles. so is there a method that lists the permissions in the file policy.json for each service? best regards

ADOUANI RIADH gravatar imageADOUANI RIADH ( 2014-06-26 12:26:02 -0500 )edit

Thanks. That is what i want to know. Best regards.

ADOUANI RIADH gravatar imageADOUANI RIADH ( 2014-06-27 17:52:37 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2014-06-25 16:47:52 -0500

Seen: 1,438 times

Last updated: Jun 26 '14