Ask Your Question
3

If policy.json is accidently deleted , is there anyway for admin to login to openstack?

asked 2013-08-26 04:49:29 -0500

Sudheesh gravatar image

updated 2016-02-15 11:18:48 -0500

fifieldt gravatar image

If policy.json is accidently deleted , is there anyway for admin to login to openstack?

I am asking this question based on an incidental experience. policy.json is just an protected file and anybody has access to the directory and able to remove file can actually take the entire openstack cloud down. I was doing some work and the ADMIN_REQUIRED policy was accidently removed and I could not access any of the services after that.

Is there any plan to move RBAC policies to DB sooner?

edit retag flag offensive close merge delete

Comments

You mean to say from all the service locations? like from /etc/nova/ /etc/neutron etc?

soumitrakarmakar gravatar imagesoumitrakarmakar ( 2016-02-16 07:23:35 -0500 )edit
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2016-06-28 14:12:22 -0500

ayoung gravatar image

Technically yes, but I htink, theway youare asking it, realistically no.

If there is no policy.json file, I think Keystone denies all.

you can do ADMIN_TOKEN, but in a sane deployment, that should be disabled. You wouldneed the same degree of acces to the machine to enable ADMIN_TOKEN as to replace the policy file.

you could just as easily add a new policy.json file. The policy.json file is protected by operatin system file permissions; make it world readable, but writable only by root is it best approach.

If it could be modified once, it can be modified again.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

3 followers

subscribe to rss feed

Stats

Asked: 2013-08-26 04:49:29 -0500

Seen: 281 times

Last updated: Jun 28 '16

Related questions

Custom Role

how to create and define roles in keystone policy.json?

Keystone Kerberos configuration

Does mitaka support keystone v3

This is not a recognized Fernet token

Bad response code while validating token: 400

IPA Users unable to login [closed]

SSL configuration on mitaka

devstack keystone authentication

HA MySQL Galera -- Keystone failed to connect [closed]