| opendevreview | Koya Watanabe proposed openstack/keystonemiddleware master: Add cryptography package as a dependency https://review.opendev.org/c/openstack/keystonemiddleware/+/940278 | 01:58 |
|---|---|---|
| *** mhen_ is now known as mhen | 02:07 | |
| *** mhen_ is now known as mhen | 03:05 | |
| Ivveh | hello, i have a rather odd question to ask. looking into how keystone policy.yaml works and which calls are allowed. im trying to create a form of user that can only call "identity:create_project" but i am unable to do so. so i am wondering if there is some special sauce im missing. the only way i can create projects is with admin role and system all scope. even with the default manager role a user i create is unable to cr | 14:38 |
| gtema | Ivveh: you should create a new dedicated role and extend the policy check for `create_project`to respect this role | 14:40 |
| Ivveh | so i added manager role to a user, linked to a project and also added the same role (manager) to scope system all but the default policy.yaml says "identity:create_project": "(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)". but no cigar | 14:41 |
| gtema | but the manager role (when authzed in the domain scope) is giving you this already | 14:41 |
| Ivveh | hmmmmmm | 14:41 |
| Ivveh | so what i did should work? | 14:41 |
| Ivveh | (the manager role stuff) | 14:41 |
| gtema | getting token in the domain scope - yes | 14:42 |
| Ivveh | so, just to be perfectly clear here are the commands that should give the user the correct permission(as admin): openstack role add --domain default --user myuser manager ; openstack role add --system all --user myuser manager (?) | 14:44 |
| gtema | you do not need to mess system scope - it is anyway wrong for a regular user | 14:45 |
| Ivveh | this will create two assignments which should give me manager for domain default and manager in scope all? | 14:45 |
| gtema | role creation is also tricky. Thechnically you have already manager role as part of the standard openstack roles | 14:46 |
| gtema | and it is a global role, not the domain bound | 14:46 |
| gtema | so instead it should be 'openstack role add --domain <DOMAIN> --user <USER> manager' | 14:47 |
| Ivveh | so i need to create another role with the name manager? | 14:47 |
| gtema | names must be unique | 14:48 |
| gtema | you just grant existing global role in the domain scope to the user | 14:48 |
| Ivveh | so i wrote two commands, the second one should be omitted. but this is the result: ou are not authorized to perform the requested action: identity:create_project. | 14:48 |
| Ivveh | so frustrating.. | 14:49 |
| Ivveh | openstack role add --domain default --user myuser manager | 14:49 |
| gtema | but well - this user gets more permissions - grant roles to users in that domain, so if you ONLY want to have user permissions to created new projects (and i.e. not delete) - you should create new global role and extend policy to for the create_project to respect new role (same as it is doing now for manager) | 14:49 |
| Ivveh | just trying to understand this particular rule which is a little out of the ordinary | 14:50 |
| gtema | and do not forget - this check is explicitly verifying that your token is in the domain scope and not project scope | 14:51 |
| Ivveh | the policy.yaml check? | 14:51 |
| gtema | domain_id:%(target.project.domain_id) means that the token with the domain scope on domain X must match the domain in which the project should be created | 14:51 |
| gtema | oh, actually it may work in project scope as well | 14:52 |
| Ivveh | that the project im trying to create is being created in "default" according to what im trying to do? | 14:52 |
| Ivveh | or what type of token is issued to my client "myuser" ? :D | 14:53 |
| Ivveh | or rather, if the token he has was issued in the correct scope? | 14:53 |
| gtema | for most of things you do in keystone token scope is very important | 14:54 |
| gtema | user should be authorizing in the domain_scope | 14:54 |
| Ivveh | so the token must be issued correctly first, yeah. that is quite complex on how it works | 14:54 |
| Ivveh | im just used to working with 1 domain and regular roles in projects | 14:55 |
| Ivveh | but this creating projects in a domain, i dont understand | 14:55 |
| Ivveh | so when "myuser" is issuing a token, if i pass too much or too little it will deny the project create request, is this correct? | 14:56 |
| gtema | need to correct myself, 'domain_id:%(target.project.domain_id)' means project can be only created in the domain which the user belong to | 14:56 |
| gtema | every project belong to certain domain, the same as users | 14:57 |
| gtema | if you do not 'use' domains most likely it is implicitly the 'default' domain | 14:58 |
| Ivveh | thats what i understood from docs.. i also tried to modify the rule in policy.yaml and make it superbasic. i created a role called "manage" (without r) just to try but got deprecation warnings so i was unsure if it worked (the policy.yaml was functioning) but i still couldn't create projects no matter what | 14:58 |
| Ivveh | like: "identity:create_project": "(rule:manage)" | 14:58 |
| Ivveh | added the role in default domain to user, but no cigar | 14:59 |
| gtema | rule:manage is wrong because it refers to the "rule" and not "role" | 14:59 |
| Ivveh | sorry typo from me | 14:59 |
| Ivveh | or wait! | 14:59 |
| Ivveh | let me try again | 15:00 |
| gtema | if you have access to keystone logs you show have something like: `RBAC: auth_context: {'token': <TokenModel (audit_id=WQ0SZeRkRMWUbxx2egB1TA, audit_chain_id=['...']) at 0x11c390110>, 'domain_id': None, 'trust_id': None, 'trustor_id': None, 'trustee_id': None, 'domain_name': None, 'group_ids': [], 'user_id': '...', 'user_domain_id': 'default', 'system_scope': None, 'project_id': '...', 'project_domain_id': 'default', 'roles': ['admin', | 15:00 |
| gtema | 'manager', 'reader', 'member'], 'is_admin_project': True, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []}` | 15:00 |
| Ivveh | now it looks like this: "identity:create_project": "(rule:admin_required) or (role:manager and domain_id:%(target.project.domain_id)s)" | 15:01 |
| Ivveh | when should this log occur? | 15:01 |
| gtema | drop the 'domain_id:%(target.project.domain_id)s' just to check whether it works for you then | 15:01 |
| Ivveh | gotcha | 15:02 |
| Ivveh | dropping it | 15:02 |
| gtema | when the API request is received | 15:02 |
| Ivveh | its like this now | 15:02 |
| Ivveh | "identity:create_project": "(rule:admin_required) or (role:manager)" | 15:02 |
| Ivveh | should that auth_context pop even during a fail? | 15:06 |
| gtema | yes | 15:06 |
| gtema | under assumption that the request reaches keystone | 15:06 |
| Ivveh | doesnt happen | 15:06 |
| Ivveh | hmm requires authentication error though | 15:07 |
| gtema | do you see any log entries added when you send request` | 15:07 |
| gtema | ? | 15:07 |
| Ivveh | debug is on so kinda limiting stuff by grep | 15:08 |
| Ivveh | well, getting errors on user not having access to projects | 15:09 |
| Ivveh | im gonna try to remove some exports for the projects | 15:11 |
| Ivveh | after unsetting all the stuff for projects i just get The service catalog is empty, this is something that i struggled with before and i dont understand it fully | 15:12 |
| gtema | because you haven't bootstrapped you keystone fully (most likely) | 15:13 |
| Ivveh | the token issue doesn't have domain | 15:13 |
| Ivveh | resourceing admin or any other user works | 15:13 |
| Ivveh | this happend after the role was stripped btw | 15:16 |
| Ivveh | (the admin roles it had) | 15:16 |
| Ivveh | just testing and debugging a lot but yea | 15:16 |
| Ivveh | i understand that the token needs to match the permissions but i can't get that puzzle to match for this particular role (to create projects) | 15:17 |
| Ivveh | okay if i send --os-domain-name parameter it works. but the export doesn't... great | 15:18 |
| Ivveh | (catalog list) | 15:18 |
| opendevreview | Merged openstack/oslo.policy master: Skip cross jobs for non-functional update https://review.opendev.org/c/openstack/oslo.policy/+/940213 | 15:20 |
| Ivveh | alright alright | 15:21 |
| Ivveh | its about the token and the parameters sent in for the requests thats probably wrong | 15:21 |
| Ivveh | jeez its sensitive :D | 15:21 |
| Ivveh | fuck, yea | 15:22 |
| Ivveh | it works now... | 15:22 |
| gtema | if you are not working with clouds.yaml and still use ENV or args (which you should stop asap) passing project_id/project_name causes the token to be in the project scope. If you set the domain_id/name token will be in the domain_Scope | 15:22 |
| gtema | and so the removed policy rule part is requiring that user must be using domain scope token which is only possible if he is explicitly granted this role on this domain | 15:23 |
| gtema | otherwise anyone is able to create projects everywhere | 15:23 |
| Ivveh | yeah thats true, its just a dev env atm so just went with env | 15:29 |
| Ivveh | the role was added in domain scope though | 15:29 |
| Ivveh | but the poicy doesnt require it | 15:30 |
| Ivveh | ill fiddle around a bit | 15:30 |
| gtema | if you return domain_id:%(target.project.domain_id)s back (what you SHOULD do) it will require that role is granted on the domain for which user can get token | 15:31 |
| Ivveh | which it is, so changing the rule back should work | 15:31 |
| Ivveh | (out of the box) | 15:31 |
| gtema | yes | 15:31 |
| Ivveh | hmm it doesnt | 15:33 |
| Ivveh | maybe i tried this before | 15:33 |
| Ivveh | dont wanna paste the assignment output but, basically rule -> user -> domain(default) -> inherit false | 15:34 |
| Ivveh | uhm, *role | 15:34 |
| gtema | yes | 15:34 |
| Ivveh | so im guessing i must pass other args now | 15:36 |
| Ivveh | but dont know which ones | 15:36 |
| gtema | no project, only domain-id (or domain-name) | 15:36 |
| Ivveh | no cigar | 15:38 |
| Ivveh | passed both, or one each | 15:38 |
| Ivveh | tried the id/name (default and Default) | 15:38 |
| gtema | I have no clue what "no cigar" means. You pass either domain-id or domain-name | 15:38 |
| Ivveh | it says it should be case-insentsitive but i dont trust it | 15:39 |
| gtema | not even sure which call you mean | 15:39 |
| Ivveh | openstack project create manager-created-project --os-auth-url http://1.2.3.4:5000/v3/ --os-username user --os-password password --os-auth-type password [ --os-domain-id default | --os-domain-name Default ] | 15:40 |
| Ivveh | tried both options, both give same auth problem | 15:40 |
| Ivveh | (no cigar basically means it didn't work) | 15:41 |
| Ivveh | You are not authorized to perform the requested action: identity:create_project. | 15:41 |
| Ivveh | it actually is sensitive on the D or d | 15:42 |
| Ivveh | but docs state that it isnt.. | 15:42 |
| Ivveh | The request you have made requires authentication. if the D/d is incorrect | 15:43 |
| gtema | I have seen installations where "domain_id: default" = "domain_name: Default" | 15:43 |
| Ivveh | the role was added likeso: openstack role add --user user --domain Default manager | 15:44 |
| Ivveh | and the rule that worked was: identity:create_project": "(rule:admin_required) or (role:manager)" | 15:44 |
| Ivveh | after the and domain_id:%(target.project.domain_id)s) was added, it stopped allowing it | 15:45 |
| Ivveh | (the rule add and project create command unchanged) | 15:45 |
| gtema | most likely because you do not use the right token | 15:45 |
| Ivveh | ill try with clouds.yaml method | 15:46 |
| Ivveh | what im looking for is the http/s api call in the end | 15:46 |
| Ivveh | but should it be and domain_id:%(target.project.domain_id)s) | 15:46 |
| Ivveh | target.PROJECT.domain_id? | 15:47 |
| gtema | yes, the project (to be created) must belong to the domain in which user has the role and authed in domain scope | 15:48 |
| Ivveh | perhaps i need the role assigned to a project that needs to be in the correct domain, or both? | 15:48 |
| Ivveh | hmmm | 15:49 |
| Ivveh | are you sure? | 15:51 |
| Ivveh | if feels like too much info, the api already knows that im creating a project, why does the target need to state the project again.. looking at other roles they can be like | 15:52 |
| Ivveh | domain_id:%(target.user.domain_id)s), user_id:%(target.user.id)s | 15:53 |
| gtema | because you MUST check whether user has rights in the target scope which is at the moment only possible when the user is authenticated in the target scope (here target domain is meant and not the target project which doesn't exist yet) | 15:53 |
| Ivveh | ah | 15:54 |
| Ivveh | gotcha | 15:54 |
| gtema | every operation has different purpose and security protections | 15:54 |
| Ivveh | my token give me 4 fields, user_id, domain_id, id (the token) and expire | 15:55 |
| Ivveh | and the role was added as above and the policy is also as above | 15:56 |
| Ivveh | i mean i can solve this by creating a separate role at this point, i just wanna understand the client for debugging reasons | 15:58 |
| gtema | openstack client has a very useful flag "--debug" which prints out all API calls (except the auth itself) | 15:59 |
| Ivveh | yeah but for that i need a success :D | 16:00 |
| Ivveh | im using that to figure out how the api call should look like (when its working) | 16:01 |
| gtema | please summarize you current conditions | 16:01 |
| Ivveh | after setting the role to default domain to the user and having the correct role in policy.yaml (restricting manger role and domain default) i want openstack project create manager-created-project --os-auth-url http://1.2.3.4:5000/v3/ --os-username user --os-password password --os-auth-type password [ --os-domain-id default | --os-domain-name Default ] --debug to show me the correct call to auth+create project | 16:03 |
| Ivveh | removing the domain_id:%(target.project.domain_id)s) from the policy,yaml yield a success | 16:04 |
| Ivveh | having it there doesn't | 16:04 |
| gtema | what is in the keystone log (auth context) | 16:04 |
| Ivveh | RBAC: auth_context: {'token': <TokenModel (audit_id=yz6yBytARHyLgjI5bOoXpg, audit_chain_id=['yz6yBytARHyLgjI5bOoXpg']) at 0x7fb5bc357860>, 'domain_id': 'default', 'trust_id': None, 'trustor_id': None, 'trustee_id': None, 'domain_name': 'Default', 'group_ids': [], 'user_id': '9a7459b521d24e879bd6cb8dd36594f0', 'user_domain_id': 'default', 'system_scope': None, 'project_id': None, 'project_domain_id': None, 'roles': ['manage | 16:06 |
| gtema | and eventually your client call misses "--domain default" (as the domain in which the project should be created). The "--os-domain-..." describes you authroization | 16:06 |
| Ivveh | is it project_domain_id? | 16:07 |
| Ivveh | that is None, should have default as value? | 16:08 |
| gtema | it is the domain in which the project should be created | 16:08 |
| Ivveh | a successful call has this field with "default" | 16:08 |
| Ivveh | 'project_domain_id': 'default', | 16:08 |
| gtema | and if it is None then it doesn't match the check in the policy which enforces that domain_id (or the current auth) = target.project.domain_id | 16:09 |
| Ivveh | i guess i can find this in enforce.py? | 16:09 |
| Ivveh | (if i want to take a closer look) | 16:09 |
| gtema | not really. In the enforcer.py you may add print with the "target" in the "_enforce" method | 16:10 |
| gtema | cause in the keystone log you only have auth_context but not the target | 16:11 |
| Ivveh | aha | 16:12 |
| Ivveh | could i technically create a role replacing target.project.domain_id with an actual value in policy.yaml? | 16:13 |
| Ivveh | making the role only work in a certain domain, or replace domain with project or user or whatever other resource that can take roles? | 16:13 |
| gtema | that is exactly why you grant a role to user on a project (or domain) | 16:13 |
| Ivveh | okay gtema thanks a lot for the patience and help/info | 16:21 |
| gtema | welcome | 16:21 |
| *** priteau is now known as Guest7267 | 17:04 | |
| *** priteau2 is now known as priteau | 17:04 | |
| opendevreview | Oria Weng proposed openstack/keystone master: Add JSON schema & validation for `role assignment` https://review.opendev.org/c/openstack/keystone/+/940344 | 22:01 |
| opendevreview | Oria Weng proposed openstack/keystone master: Add JSON schema & validation for `role assignment` https://review.opendev.org/c/openstack/keystone/+/940344 | 23:13 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!