Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Is it acceptable to adjust policy.json to allow non-root Savanna access to cinder?

Within the 'demo' project/tentant (as the demo user created by RDO packstack) I was trying to configure a Savanna Node Group Template that made use of a Cinder Volume for the storage location:

image description

However, after clicking Create an error popup appeared and the template entry wasn't created. Digging into the /var/log/savanna/api.log I found the specifics of the error:

2014-02-25 09:40:15.335 7370 ERROR savanna.utils.api [-] Request aborted with status code 500 and message 'Error occurred during validation'
2014-02-25 09:40:15.337 7370 ERROR savanna.utils.api [-] Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/savanna/service/validation.py", line 37, in handler
    validator(**kwargs)
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/node_group_templates.py", line 89, in check_node_group_template_create
    data['hadoop_version'], data)
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/base.py", line 121, in check_node_group_basic_fields
    check_cinder_exists()
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/base.py", line 266, in check_cinder_exists
    keystone.client().services.list()]
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 70, in func
    return f(*args, **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 340, in list
    self.collection_key)
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 110, in _list
    resp, body = self.client.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 655, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 651, in _cs_request
    **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 610, in request
    **request_kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 124, in request
    raise exceptions.from_response(resp, method, url)
Forbidden: You are not authorized to perform the requested action, identity:list_services. (HTTP 403)

Is the following solution appropriate?

  • Create a new savanna_user role
  • Add the new role to the user 'demo'
  • Adjust the /etc/keystone/policy.json to allow that new role to perform the identity:list_services action

In detail:

[root@host keystone(keystone_admin)]# keystone role-create --name savanna_user
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | f3fa42dacd5943cebaedd0c3207f37ed |
|   name   |           savanna_user           |
+----------+----------------------------------+

[root@host keystone(keystone_admin)]# keystone user-role-add --user demo --role savanna_user --tenant demo

Modified /etc/keystone/policy.json , according to diff:

--- policy.json.ORIG     2014-02-25 09:36:41.207569035 -0600
+++ /etc/keystone/policy.json     2014-02-24 17:17:00.097633512 -0600
@@ -1,14 +1,16 @@
 {
     "admin_required": "role:admin or is_admin:1",
     "service_role": "role:service",
+    "savanna_role": "role:savanna_user",
     "service_or_admin": "rule:admin_required or rule:service_role",
     "owner" : "user_id:%(user_id)s",
     "admin_or_owner": "rule:admin_required or rule:owner",
+    "admin_or_savanna": "rule:admin_required or rule:savanna_role",

     "default": "rule:admin_required",

     "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
+    "identity:list_services": "rule:admin_or_savanna",
     "identity:create_service": "rule:admin_required",
     "identity:update_service": "rule:admin_required",
     "identity:delete_service": "rule:admin_required",

and then restart keystone:

[root@host keystone(keystone_admin)]# service openstack-keystone restart

Is it acceptable to adjust policy.json to allow non-root Savanna access to cinder?

Within the 'demo' project/tentant (as the demo user created by RDO packstack) I was trying to configure a Savanna Node Group Template that made use of a Cinder Volume for the storage location:

image description

However, after clicking Create an error popup appeared and the template entry wasn't created. Digging into the /var/log/savanna/api.log I found the specifics of the error:

2014-02-25 09:40:15.335 7370 ERROR savanna.utils.api [-] Request aborted with status code 500 and message 'Error occurred during validation'
2014-02-25 09:40:15.337 7370 ERROR savanna.utils.api [-] Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/savanna/service/validation.py", line 37, in handler
    validator(**kwargs)
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/node_group_templates.py", line 89, in check_node_group_template_create
    data['hadoop_version'], data)
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/base.py", line 121, in check_node_group_basic_fields
    check_cinder_exists()
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/base.py", line 266, in check_cinder_exists
    keystone.client().services.list()]
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 70, in func
    return f(*args, **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 340, in list
    self.collection_key)
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 110, in _list
    resp, body = self.client.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 655, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 651, in _cs_request
    **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 610, in request
    **request_kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 124, in request
    raise exceptions.from_response(resp, method, url)
Forbidden: You are not authorized to perform the requested action, identity:list_services. (HTTP 403)

Is the following solution appropriate?

  • Create a new savanna_user role
  • Add the new role to the user 'demo'
  • Adjust the /etc/keystone/policy.json to allow that new role to perform the identity:list_services action

In detail:

[root@host keystone(keystone_admin)]# keystone role-create --name savanna_user
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | f3fa42dacd5943cebaedd0c3207f37ed |
|   name   |           savanna_user           |
+----------+----------------------------------+

[root@host keystone(keystone_admin)]# keystone user-role-add --user demo --role savanna_user --tenant demo

Modified /etc/keystone/policy.json , according to diff:

--- policy.json.ORIG     2014-02-25 09:36:41.207569035 -0600
+++ /etc/keystone/policy.json     2014-02-24 17:17:00.097633512 -0600
@@ -1,14 +1,16 @@
 {
     "admin_required": "role:admin or is_admin:1",
     "service_role": "role:service",
+    "savanna_role": "role:savanna_user",
     "service_or_admin": "rule:admin_required or rule:service_role",
     "owner" : "user_id:%(user_id)s",
     "admin_or_owner": "rule:admin_required or rule:owner",
+    "admin_or_savanna": "rule:admin_required or rule:savanna_role",

     "default": "rule:admin_required",

     "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
+    "identity:list_services": "rule:admin_or_savanna",
     "identity:create_service": "rule:admin_required",
     "identity:update_service": "rule:admin_required",
     "identity:delete_service": "rule:admin_required",

and then restart keystone:

[root@host keystone(keystone_admin)]# service openstack-keystone restart

Is it acceptable to adjust policy.json to allow non-root Savanna access to cinder?

Within the 'demo' project/tentant (as the demo user created by RDO packstack) I was trying to configure a Savanna Node Group Template that made use of a Cinder Volume for the storage location:

image descriptionimage description

However, after clicking Create an error popup appeared and the template entry wasn't created. Digging into the /var/log/savanna/api.log I found the specifics of the error:

2014-02-25 09:40:15.335 7370 ERROR savanna.utils.api [-] Request aborted with status code 500 and message 'Error occurred during validation'
2014-02-25 09:40:15.337 7370 ERROR savanna.utils.api [-] Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/savanna/service/validation.py", line 37, in handler
    validator(**kwargs)
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/node_group_templates.py", line 89, in check_node_group_template_create
    data['hadoop_version'], data)
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/base.py", line 121, in check_node_group_basic_fields
    check_cinder_exists()
  File "/usr/lib/python2.6/site-packages/savanna/service/validations/base.py", line 266, in check_cinder_exists
    keystone.client().services.list()]
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 70, in func
    return f(*args, **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 340, in list
    self.collection_key)
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 110, in _list
    resp, body = self.client.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 655, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 651, in _cs_request
    **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 610, in request
    **request_kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/httpclient.py", line 124, in request
    raise exceptions.from_response(resp, method, url)
Forbidden: You are not authorized to perform the requested action, identity:list_services. (HTTP 403)

Is the following solution appropriate?

  • Create a new savanna_user role
  • Add the new role to the user 'demo'
  • Adjust the /etc/keystone/policy.json to allow that new role to perform the identity:list_services action

In detail:

[root@host keystone(keystone_admin)]# keystone role-create --name savanna_user
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | f3fa42dacd5943cebaedd0c3207f37ed |
|   name   |           savanna_user           |
+----------+----------------------------------+

[root@host keystone(keystone_admin)]# keystone user-role-add --user demo --role savanna_user --tenant demo

Modified /etc/keystone/policy.json , according to diff:

--- policy.json.ORIG     2014-02-25 09:36:41.207569035 -0600
+++ /etc/keystone/policy.json     2014-02-24 17:17:00.097633512 -0600
@@ -1,14 +1,16 @@
 {
     "admin_required": "role:admin or is_admin:1",
     "service_role": "role:service",
+    "savanna_role": "role:savanna_user",
     "service_or_admin": "rule:admin_required or rule:service_role",
     "owner" : "user_id:%(user_id)s",
     "admin_or_owner": "rule:admin_required or rule:owner",
+    "admin_or_savanna": "rule:admin_required or rule:savanna_role",

     "default": "rule:admin_required",

     "identity:get_service": "rule:admin_required",
-    "identity:list_services": "rule:admin_required",
+    "identity:list_services": "rule:admin_or_savanna",
     "identity:create_service": "rule:admin_required",
     "identity:update_service": "rule:admin_required",
     "identity:delete_service": "rule:admin_required",

and then restart keystone:

[root@host keystone(keystone_admin)]# service openstack-keystone restart