Keystone Domains: Policy.json not enforced properly!?

asked 2015-08-16 14:49:30 -0500

mathias gravatar image

updated 2015-08-20 07:59:19 -0500

Hi, I set up my Keystone installlation for multiple domains and per domain backends. Here are the main configuration settings in keystone.conf:

[assignment]
driver = keystone.assignment.backends.sql.Assignment
[identity]
domain_specific_drivers_enabled = true
driver = keystone.identity.backends.sql.Identity

You can see that I set the assignment and identity backend to use SQL. LDAP is configured in the per domain configuration file.

I created a domain named "admin_domain" and assigned the domain user "cloud_admin" the "admin" role:

$ openstack --os-identity-api-version 3 --os-auth-url http://localhost:5000/v3 --os-user-domain-name admin_domain --os-username cloud_admin --os-password hs4jk2t --os-domain-name admin_domain domain list
+----------------------------------+--------------+---------+----------------------------------------------------------------------+
| ID                               | Name         | Enabled | Description                                                          |
+----------------------------------+--------------+---------+----------------------------------------------------------------------+
| 145261834e88426781a2fbad79526feb | evoila       | True    |                                                                      |
| 39241abe60fb438981bd3bc1361d910e | admin_domain | True    |                                                                      |
| default                          | Default      | True    | Owns users and tenants (i.e. projects) available on Identity API v2. |
+----------------------------------+--------------+---------+----------------------------------------------------------------------+
$ openstack --os-identity-api-version 3 --os-auth-url http://localhost:5000/v3 --os-user-domain-name admin_domain --os-username cloud_admin --os-password hs4jk2t --os-domain-name admin_domain user list
+----------------------------------+-------------+
| ID                               | Name        |
+----------------------------------+-------------+
| fc3f66f5d46c42df85e67409de1033bb | cloud_admin |
+----------------------------------+-------------+
$ openstack --os-identity-api-version 3 --os-auth-url http://localhost:5000/v3 --os-user-domain-name admin_domain --os-username cloud_admin --os-password hs4jk2t --os-domain-name admin_domain role list
+----------------------------------+----------+
| ID                               | Name     |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| edbf35c254894cfc88e85e39746b2107 | admin    |
+----------------------------------+----------+
$ openstack --os-identity-api-version 3 --os-auth-url http://localhost:5000/v3 --os-user-domain-name admin_domain --os-username cloud_admin --os-password hs4jk2t --os-domain-name admin_domain role assignment list --domain evoila
+----------------------------------+------------------------------------------------------------------+-------+---------+----------------------------------+
| Role                             | User                                                             | Group | Project | Domain                           |
+----------------------------------+------------------------------------------------------------------+-------+---------+----------------------------------+
| edbf35c254894cfc88e85e39746b2107 | 5bb65f1aa067b2517fd84c4b333b9d5b978a1f87ec940b5e35ed09724f603820 |       |         | 145261834e88426781a2fbad79526feb |
+----------------------------------+------------------------------------------------------------------+-------+---------+----------------------------------+

Within the "evoila" domain, I access the LDAP directory for users and groups. I assigned the "admin" role to the domain to user "mewald":

$ openstack --os-identity-api-version 3 --os-auth-url http://localhost:5000/v3 --os-user-domain-name admin_domain --os-username cloud_admin --os-password hs4jk2t --os-domain-name admin_domain user list --domain evoila
+------------------------------------------------------------------+--------+
| ID                                                               | Name   |
+------------------------------------------------------------------+--------+
| 5bb65f1aa067b2517fd84c4b333b9d5b978a1f87ec940b5e35ed09724f603820 | mewald |
+------------------------------------------------------------------+--------+
$ openstack --os-identity-api-version 3 --os-auth-url http://localhost:5000/v3 --os-user-domain-name admin_domain --os-username cloud_admin --os-password hs4jk2t --os-domain-name admin_domain role assignment list --domain evoila
+----------------------------------+------------------------------------------------------------------+-------+---------+----------------------------------+
| Role                             | User                                                             | Group | Project | Domain                           |
+----------------------------------+------------------------------------------------------------------+-------+---------+----------------------------------+
| edbf35c254894cfc88e85e39746b2107 | 5bb65f1aa067b2517fd84c4b333b9d5b978a1f87ec940b5e35ed09724f603820 |       |         | 145261834e88426781a2fbad79526feb |
+----------------------------------+------------------------------------------------------------------+-------+---------+----------------------------------+

The policy.json file states:

{
    "admin_required": "role:admin",
    "cloud_admin": "rule:admin_required and domain_id:39241abe60fb438981bd3bc1361d910e",
...
    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
...
    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
}

Finally, here is the problem: I think the policy.json states that in order to list users of a domain the request must be authenticated as that of 1. someone who has the "admin" role in the "admin_domain" domain or 2. the admin role in the domain that he is trying to list users for.

Problem is, its not working:

$ openstack --os-identity-api-version 3 --os-auth-url http://localhost:5000/v3 --os-user-domain-name evoila --os-username mewald --os-domain-name evoila user listPassword: 
ERROR: openstack You are not authorized to perform the requested action: identity:list_users (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-5ef45f1f-1cfc-4ab3-9ffb-207932a68081)

Any ideas why this is not working?


EDIT: After the comment below I tried specifying the domain:

$ openstack --os-identity-api-version 3 --os-auth-url http://localhost:5000/v3 --os-user-domain-name evoila --os-username mewald --os-domain-name evoila user list --domain evoila
Password: 
ERROR: openstack You are not authorized to perform the requested action: identity:list_users (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-fb5c7317-8b37-46a0-b2ba-ed0ce6d9d93e)
edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted
0

answered 2015-08-17 00:29:43 -0500

First thing to remember when doing per_domain_backend is, there is no api called list_users. It is always list_users per domain. Pass domain_id of the domain whose users you want to list

edit flag offensive delete link more

Comments

Thanks for the note. I edited the original post to show the output of that. I am still getting the same error message.

mathias gravatar imagemathias ( 2015-08-17 03:55:03 -0500 )edit

With that command above I get $ openstack --os-identity-api-version 3 --os-auth-url http://localhost:5000/v3 --os-user-domain-name evoila --os-username mewald --os-domain-name evoila token issue ERROR: openstack 'NoneType' object has no attribute 'service_catalog'

No idea what that means.

mathias gravatar imagemathias ( 2015-08-17 13:39:54 -0500 )edit

were you able to make it work? this problem ERROR: openstack You are not authorized to perform the requested action: identity:list_users

bickyii gravatar imagebickyii ( 2015-10-02 15:01:14 -0500 )edit

I have a comparable setup and getting the same error. Seems like the matching of the domain_id fails. When I change the cloud_admin rule to this, it works:

"cloud_admin" : "rule:admin_required",

But of cause that is not a solution, as this would give all admins cloud_admin rights.

arnoudj gravatar imagearnoudj ( 2015-10-05 06:17:35 -0500 )edit

@arnoudj, that is just like revoking the purpose of cloud_admin. So cloud_admin and domain_admin never worked for you?

bickyii gravatar imagebickyii ( 2015-10-05 11:56:26 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

3 followers

Stats

Asked: 2015-08-16 14:49:30 -0500

Seen: 738 times

Last updated: Aug 20 '15