Voir :

• https://docs.openstack.org/keystone/latest/admin/identity-concepts.html
• https://docs.openstack.org/oslo.policy/latest/admin/policy-json-file.html
• https://docs.openstack.org/keystone/pike/admin/identity-service-api-protection.html
• https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/define-default-roles.html

Exemple de conf : https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

/etc/keystone/keystone.conf

[oslo_policy]
policy_file = /etc/keystone/policy.yaml

/etc/cinder/cinder.conf:policy_file = /etc/cinder/policy.yaml
/etc/nova/nova.conf:policy_file = /etc/nova/policy.yaml

/etc/openstack-dashboard/local_settings.py

# Path to directory containing policy files
POLICY_FILES_PATH = '/etc'
 
POLICY_FILES = {
    'identity': 'keystone/policy.yaml',
    'compute': 'nova/policy.yaml',
    'volume': 'cinder/policy.yaml',
    'image': 'glance/policy.json',
    'orchestration': 'heat/policy.yaml',
    'network': 'neutron/policy.json',
#    'clustering': 'senlin/policy.json',
}

python -c 'import sys, yaml, json; yaml.safe_dump(json.load(sys.stdin), sys.stdout, default_flow_style=False)' < /opt/stack/keystone/etc/policy.v3cloudsample.json > /etc/keystone/policy.yaml

Logs

journalctl -f -u devstack@keystone.service |grep -i warning

Fichier policy.json / policy.yaml

oslopolicy-sample-generator --namespace keystone --format yaml --output-file /etc/keystone/policy.yaml
 
#oslopolicy-sample-generator --namespace neutron --format yaml |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,/"/s/rule:.*/rule:admin_only"/' |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,
/"/s/^#\(.*rule:.*\)/\1/' > /etc/neutron/policy2.yaml
 
 
#oslopolicy-sample-generator --namespace neutron --format json  |sed -e '/"\(remove\|update\|delete\|create\|add\)_/,/s/rule:.*/rule:admin_only\"/' > /etc/neutron/policy.json
 
#oslopolicy-sample-generator --namespace neutron --format yaml |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,/"/s/rule:.*/rule:admin_only"/' |sed -e '/^#"\(remove\|update\|delete\|create\|add\)_/,/"/s/^#\(.*rule:.*\)/\1/' > /etc/neutron/policy2.yaml

Ou

# cp -p /opt/stack/keystone/etc/policy.v3cloudsample.json /etc/keystone/policy.json
curl https://raw.githubusercontent.com/openstack/keystone/master/etc/policy.v3cloudsample.json > /etc/keystone/policy.json

roles implicites (sauf pour admin)

/etc/keystone/keystone.conf

[assignment]
prohibited_implied_role = admin
 
[token]
infer_roles = true

Voir https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/14/html/users_and_identity_management_guide/role_management

Voir :

• https://www.rdoproject.org/documentation/domains/
• Unleashing Keystone Domain Admins (Keystone multidomain policy)
• https://cloud.garr.it/doc/federation/administerDomain/

Création d'un nouveau domaine et d'un groupe admin du domaine (domain admin)

openstack domain create acme
 
openstack group create --domain acme acme_admins
openstack user create --domain acme --password toor acmeadm
openstack group add user acme_admins acmeadm
 
openstack role add --group acme_admins --domain acme admin

Voir https://dstanek.com/keystone-domain-admins/

Ajout d'un utilisateur au nouveau domaine

openstack role add --user jean --user-domain acme --project jbprj member
 
#openstack role add admin --domain acme --user 8f20dc8ae49141c3bdc1f59927bf79eb --inherited
openstack role add --user jean --user-domain acme --project jbprj member --inherited

Voir https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html-single/users_and_identity_management_guide/index

Correction fichier

journalctl -f -u devstack@keystone.service 2>/dev/null |grep -i warning |grep -i deprecated |grep -v 'service nova' |sed -e 's/^.*in favor of //' |sed -e 's/\. Reason:.*//' |grep '^\"' | tee plop
cat plop |sort -u |tr -d '"' | sed -e 's/$/& or role:cloudadmin/' >> /etc/keystone/policy.yaml >> /etc/keystone/policy.yaml
vim !$

Autre

cp -p /opt/stack/keystone/keystone/tests/unit/config_files/access_rules.json /etc/keystone/access_rules.json

openstack implied role list
openstack role assignment list --user jean --name --effective
openstack role assignment list --user dom1_user --name --effective --user-domain dom1

Test

openstack domain create dom1
openstack user create dom1_admin --password toor --domain dom1
openstack role add admin --user dom1_admin --domain dom1 --inherited --user-domain dom1
 
## Ne pas faire, sinon droit même sur les autres domaines !
#openstack role add admin --user dom1_admin --domain dom1 --user-domain dom1
 
# Pour autoriser l'utilisateur à se connecter sur le Web UI (Horizon) il faut qu'il puisse accèder au moins à un projet.
openstack project create dom1_prj1 --domain dom1
openstack role add admin --project-domain dom1 --project dom1_prj1 --user dom1_admin --user-domain dom1
 
# Création utilisateur du domain
openstack user create dom1_user --password toor --domain dom1
openstack role add member --user dom1_user --domain dom1 --inherited --user-domain dom1
 
# Création d'un projet pour l'utilisateur dom1_user
openstack project create dom1_user_prj1 --domain dom1
openstack role add admin --project-domain dom1 --project dom1_user_prj1 --user dom1_user --user-domain dom1
 
# Création de d'administrateur du projet projet1
openstack project create prj1 --domain dom1
openstack user create dom1_projet1_admin --password toor --domain dom1 --project prj1 --project-domain dom1
#
# PB DROIT ADMIN
#openstack role add admin --user dom1_projet1_admin --domain dom1 --user-domain dom1
 
# Création de l'utilsateur du projet projet1
openstack user create dom1_projet1_user --password toor --domain dom1 --project prj1 --project-domain dom1
openstack role add member --user dom1_projet1_user --user-domain dom1 --project prj1 --project-domain dom1
 
## A quoi sert le --inherited sur un projet ?
#openstack role add member --user dom1_projet1_user --user-domain dom1 --project prj1 --project-domain dom1 --inherited

Reset

openstack domain set --disable dom1
openstack domain delete dom1