Ask Your Question

OpenStack Policy Enforcement for Custom Role Project_Admin

asked 2015-06-18 03:16:58 -0500

mc_vgupta gravatar image

updated 2015-06-19 02:52:41 -0500

Hi Community-Users,

I have been running devstack (Latest Trunk , Icehouse , kilo ...) versions of OpenStack , The Instances have been working fine for all versions.
However I would like to ask some specific questions regarding the OpenStack Custom Role policy process.

My Goal:

Grant a user admin rights for a Project so that the user can, in a delegated manner:

  1. Grant other users admin rights for the tenant. i.e. share admin of a tenant with other select users.

    • Also Limit the Admin rights for those Admin users to this Project only .i.e they shouldn't be able to modify anything in other projects.
  2. Define a Policy Rules for the Custom Role (project_admin) to perform above task 1.

What I have tried :

  1. Created a custom role (project_admin) successfully and assigned that role to user under single project.
  2. Now to Define the responsibilities to that role I modified Keystone Policy.json file as per below :

    *"Tenant_Admin" : "role:project_admin"

    "identity:get_user": "rule:admin_required or rule:Tenant_Admin and project_id:%(", "identity:list_users": "rule:admin_required or rule:Tenant_Admin and project_id:%(", "identity:create_user": "rule:admin_required or rule:Tenant_Admin and project_id:%(", "identity:update_user": "rule:admin_required or rule:Tenant_Admin and project_id:%(", "identity:delete_user": "rule:admin_required or rule:Tenant_Admin and project_id:%(",*

    When I modified the Policy.Json I was expecting this change would allow the project_admin role user to (list , create , update) the users under this project/Tenant so virtually user management role.

  3. The API request I made is like this http://<openstack-server-ip>/identity/<project-id>/detail/ , so my expectation is that it should let user grant access to give right to project_admin user.

But when I login with that user I don't see anything changes and hitting above API I get the permission issue saying

"not authorized".

What Am I Expecting :

  1. I need to know exactly "what" change i need to make in KeyStone policy.json file so policy engine can pick that and update the role post this change.
  2. As well as that change should allow my project_admin role user to access & generate user list and perform all user related operations under single "Project".

I sincerely appreciate the quick help here.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2017-11-07 08:41:31 -0500

Hi Folks

I was wondering how you got on with setting up your role


edit flag offensive delete link more

answered 2015-06-19 12:33:49 -0500

"rule:admin_required or rule:Tenant_Admin and project_id:%( might be ambiguous. I'd certainly group using parenthesis to make sure it does what you want.

I wrote a simple CLI tool you can use to test a policy file. Might help/

edit flag offensive delete link more


Hi ayoung , Thanks for replying , yes I can put them in I have added the below rule. "rule:admin_required or (rule:Tenant_Admin and project_id:%(" still i see no change from the Horizon dashboard for this user , not able to create new users from this user id.

mc_vgupta gravatar imagemc_vgupta ( 2015-06-22 05:39:15 -0500 )edit

If everything works from the Command line, but not the web ui, I thjink you need to update the policy files cached in Horizon.

ayoung gravatar imageayoung ( 2015-06-23 22:26:02 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-06-18 03:16:58 -0500

Seen: 840 times

Last updated: Nov 07 '17