Ask Your Question

If policy.json is accidently deleted , is there anyway for admin to login to openstack?

asked 2013-08-26 04:49:29 -0500

Sudheesh gravatar image

updated 2016-02-15 11:18:48 -0500

fifieldt gravatar image

If policy.json is accidently deleted , is there anyway for admin to login to openstack?

I am asking this question based on an incidental experience. policy.json is just an protected file and anybody has access to the directory and able to remove file can actually take the entire openstack cloud down. I was doing some work and the ADMIN_REQUIRED policy was accidently removed and I could not access any of the services after that.

Is there any plan to move RBAC policies to DB sooner?

edit retag flag offensive close merge delete


You mean to say from all the service locations? like from /etc/nova/ /etc/neutron etc?

soumitrakarmakar gravatar imagesoumitrakarmakar ( 2016-02-16 07:23:35 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2016-06-28 14:12:22 -0500

Technically yes, but I htink, theway youare asking it, realistically no.

If there is no policy.json file, I think Keystone denies all.

you can do ADMIN_TOKEN, but in a sane deployment, that should be disabled. You wouldneed the same degree of acces to the machine to enable ADMIN_TOKEN as to replace the policy file.

you could just as easily add a new policy.json file. The policy.json file is protected by operatin system file permissions; make it world readable, but writable only by root is it best approach.

If it could be modified once, it can be modified again.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2013-08-26 04:49:29 -0500

Seen: 300 times

Last updated: Jun 28 '16