{{tag>Brouillon OpenStack}}
= OpenStack Keystone - Role & Policy
Voir :
* https://docs.openstack.org/keystone/latest/admin/identity-concepts.html
* https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html
* https://docs.openstack.org/keystone/pike/admin/identity-service-api-protection.html
* https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html
Exemple de conf : https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
''/etc/keystone/keystone.conf''
[oslo_policy]
policy_file = /etc/keystone/policy.yaml
/etc/cinder/cinder.conf:policy_file = /etc/cinder/policy.yaml
/etc/nova/nova.conf:policy_file = /etc/nova/policy.yaml
''/etc/openstack-dashboard/local_settings.py''
# Path to directory containing policy files
POLICY_FILES_PATH = '/etc'
POLICY_FILES = {
'identity': 'keystone/policy.yaml',
'compute': 'nova/policy.yaml',
'volume': 'cinder/policy.yaml',
'image': 'glance/policy.json',
'orchestration': 'heat/policy.yaml',
'network': 'neutron/policy.json',
# 'clustering': 'senlin/policy.json',
}
python -c 'import sys, yaml, json; yaml.safe_dump(json.load(sys.stdin), sys.stdout, default_flow_style=False)' < /opt/stack/keystone/etc/policy.v3cloudsample.json > /etc/keystone/policy.yaml
Logs
journalctl -f -u devstack@keystone.service |grep -i warning
Fichier policy.json / policy.yaml
oslopolicy-sample-generator --namespace keystone --format yaml --output-file /etc/keystone/policy.yaml
#oslopolicy-sample-generator --namespace neutron --format yaml |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,/"/s/rule:.*/rule:admin_only"/' |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,
/"/s/^#\(.*rule:.*\)/\1/' > /etc/neutron/policy2.yaml
#oslopolicy-sample-generator --namespace neutron --format json |sed -e '/"\(remove\|update\|delete\|create\|add\)_/,/s/rule:.*/rule:admin_only\"/' > /etc/neutron/policy.json
#oslopolicy-sample-generator --namespace neutron --format yaml |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,/"/s/rule:.*/rule:admin_only"/' |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,/"/s/^#\(.*rule:.*\)/\1/' > /etc/neutron/policy2.yaml
Ou
# cp -p /opt/stack/keystone/etc/policy.v3cloudsample.json /etc/keystone/policy.json
curl https://raw.githubusercontent.com/openstack/keystone/master/etc/policy.v3cloudsample.json > /etc/keystone/policy.json
roles implicites (sauf pour admin)
''/etc/keystone/keystone.conf''
[assignment]
prohibited_implied_role = admin
[token]
infer_roles = true
Voir https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/14/html/users_and_identity_management_guide/role_management
=== Domain Admin
Voir :
* https://www.rdoproject.org/documentation/domains/
* [[https://dstanek.com/keystone-domain-admins/|Unleashing Keystone Domain Admins (Keystone multidomain policy)]]
* https://cloud.garr.it/doc/federation/administerDomain/
Création d'un nouveau domaine et d'un groupe admin du domaine // (domain admin) //
openstack domain create acme
openstack group create --domain acme acme_admins
openstack user create --domain acme --password toor acmeadm
openstack group add user acme_admins acmeadm
openstack role add --group acme_admins --domain acme admin
Voir https://dstanek.com/keystone-domain-admins/
Ajout d'un utilisateur au nouveau domaine
openstack role add --user jean --user-domain acme --project jbprj member
#openstack role add admin --domain acme --user 8f20dc8ae49141c3bdc1f59927bf79eb --inherited
openstack role add --user jean --user-domain acme --project jbprj member --inherited
Voir https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html-single/users_and_identity_management_guide/index
Correction fichier
journalctl -f -u devstack@keystone.service 2>/dev/null |grep -i warning |grep -i deprecated |grep -v 'service nova' |sed -e 's/^.*in favor of //' |sed -e 's/\. Reason:.*//' |grep '^\"' | tee plop
cat plop |sort -u |tr -d '"' | sed -e 's/$/& or role:cloudadmin/' >> /etc/keystone/policy.yaml >> /etc/keystone/policy.yaml
vim !$
Autre
cp -p /opt/stack/keystone/keystone/tests/unit/config_files/access_rules.json /etc/keystone/access_rules.json
openstack implied role list
openstack role assignment list --user jean --name --effective
openstack role assignment list --user dom1_user --name --effective --user-domain dom1
Test
openstack domain create dom1
openstack user create dom1_admin --password toor --domain dom1
openstack role add admin --user dom1_admin --domain dom1 --inherited --user-domain dom1
## Ne pas faire, sinon droit même sur les autres domaines !
#openstack role add admin --user dom1_admin --domain dom1 --user-domain dom1
# Pour autoriser l'utilisateur à se connecter sur le Web UI (Horizon) il faut qu'il puisse accèder au moins à un projet.
openstack project create dom1_prj1 --domain dom1
openstack role add admin --project-domain dom1 --project dom1_prj1 --user dom1_admin --user-domain dom1
# Création utilisateur du domain
openstack user create dom1_user --password toor --domain dom1
openstack role add member --user dom1_user --domain dom1 --inherited --user-domain dom1
# Création d'un projet pour l'utilisateur dom1_user
openstack project create dom1_user_prj1 --domain dom1
openstack role add admin --project-domain dom1 --project dom1_user_prj1 --user dom1_user --user-domain dom1
# Création de d'administrateur du projet projet1
openstack project create prj1 --domain dom1
openstack user create dom1_projet1_admin --password toor --domain dom1 --project prj1 --project-domain dom1
#
# PB DROIT ADMIN
#openstack role add admin --user dom1_projet1_admin --domain dom1 --user-domain dom1
# Création de l'utilsateur du projet projet1
openstack user create dom1_projet1_user --password toor --domain dom1 --project prj1 --project-domain dom1
openstack role add member --user dom1_projet1_user --user-domain dom1 --project prj1 --project-domain dom1
## A quoi sert le --inherited sur un projet ?
#openstack role add member --user dom1_projet1_user --user-domain dom1 --project prj1 --project-domain dom1 --inherited
Reset
openstack domain set --disable dom1
openstack domain delete dom1