2021-07-16 00:46:43 |
zhaoleilc |
description |
Description
===========
As of the Rocky release, keystone provides three roles called admin,
member, and reader by default. Nova has incorporated those available
roles into default policies in Victora version of OpenStack. Servers
, howver, can still be created by user who has only reader role in
Victoria version. The ambiguos thing is servers cannot be created
when I write the default aliases in the policy.yaml of nova.
Steps to reproduce
==================
1. Assign the reader role to the user, for example:
openstack role add --user alice --project acme reader
2. Create a server in acme project with user alice
openstack --os-username=<username> --os-user-domain-name=<domain> --os-password=<password> --os-project-name=<project> --os-project-domain-name=<domain> server create --network <network_id> --flavor <flavor_id> --image <image_id> server_name
3. Add these default aliases to policy.yaml
"context_is_admin": "role:admin"
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
"admin_api": "is_admin:True"
"system_admin_api": "role:admin and system_scope:all"
"system_reader_api": "role:reader and system_scope:all"
"project_admin_api": "role:admin and project_id:%(project_id)s"
"project_member_api": "role:member and project_id:%(project_id)s"
"project_reader_api": "role:reader and project_id:%(project_id)s"
"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api"
"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api"
4. repeat the 3 step
Expected result
===============
both the 2 and 4 step cannot create servers
Actual result
=============
the 2 step can create servers successfully |
Description
===========
As of the Rocky release, keystone provides three roles called admin,
member, and reader by default. Nova has incorporated those available
roles into default policies in Victora version of OpenStack. Servers
, howver, can still be created by user who has only reader role in
Victoria version. The ambiguous thing is servers cannot be created
when I write the default aliases in the policy.yaml of nova.
Steps to reproduce
==================
1. Assign the reader role to the user, for example:
openstack role add --user alice --project acme reader
2. Create a server in acme project with user alice
openstack --os-username=<username> --os-user-domain-name=<domain> --os-password=<password> --os-project-name=<project> --os-project-domain-name=<domain> server create --network <network_id> --flavor <flavor_id> --image <image_id> server_name
3. Add these default aliases to policy.yaml
"context_is_admin": "role:admin"
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
"admin_api": "is_admin:True"
"system_admin_api": "role:admin and system_scope:all"
"system_reader_api": "role:reader and system_scope:all"
"project_admin_api": "role:admin and project_id:%(project_id)s"
"project_member_api": "role:member and project_id:%(project_id)s"
"project_reader_api": "role:reader and project_id:%(project_id)s"
"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api"
"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api"
4. repeat the 3 step
Expected result
===============
both the 2 and 4 step cannot create servers
Actual result
=============
the 2 step can create servers successfully |
|
2021-07-16 00:56:36 |
zhaoleilc |
description |
Description
===========
As of the Rocky release, keystone provides three roles called admin,
member, and reader by default. Nova has incorporated those available
roles into default policies in Victora version of OpenStack. Servers
, howver, can still be created by user who has only reader role in
Victoria version. The ambiguous thing is servers cannot be created
when I write the default aliases in the policy.yaml of nova.
Steps to reproduce
==================
1. Assign the reader role to the user, for example:
openstack role add --user alice --project acme reader
2. Create a server in acme project with user alice
openstack --os-username=<username> --os-user-domain-name=<domain> --os-password=<password> --os-project-name=<project> --os-project-domain-name=<domain> server create --network <network_id> --flavor <flavor_id> --image <image_id> server_name
3. Add these default aliases to policy.yaml
"context_is_admin": "role:admin"
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
"admin_api": "is_admin:True"
"system_admin_api": "role:admin and system_scope:all"
"system_reader_api": "role:reader and system_scope:all"
"project_admin_api": "role:admin and project_id:%(project_id)s"
"project_member_api": "role:member and project_id:%(project_id)s"
"project_reader_api": "role:reader and project_id:%(project_id)s"
"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api"
"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api"
4. repeat the 3 step
Expected result
===============
both the 2 and 4 step cannot create servers
Actual result
=============
the 2 step can create servers successfully |
Description
===========
As of the Rocky release, keystone provides three roles called admin,
member, and reader by default. Nova has incorporated those available
roles into default policies in Victora version of OpenStack. Servers
, howver, can still be created by user who has only reader role in
Victoria version. The ambiguous thing is servers cannot be created
when I write the default aliases in the policy.yaml of nova.
Steps to reproduce
==================
1. Assign the reader role to the user, for example:
openstack role add --user alice --project acme reader
2. Create a server in acme project with user alice
openstack --os-username=<username> --os-user-domain-name=<domain> --os-password=<password> --os-project-name=<project> --os-project-domain-name=<domain> server create --network <network_id> --flavor <flavor_id> --image <image_id> server_name
3. Add these default aliases to policy.yaml
"context_is_admin": "role:admin"
"admin_or_owner": "is_admin:True or project_id:%(project_id)s"
"admin_api": "is_admin:True"
"system_admin_api": "role:admin and system_scope:all"
"system_reader_api": "role:reader and system_scope:all"
"project_admin_api": "role:admin and project_id:%(project_id)s"
"project_member_api": "role:member and project_id:%(project_id)s"
"project_reader_api": "role:reader and project_id:%(project_id)s"
"system_admin_or_owner": "rule:system_admin_api or rule:project_member_api"
"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api"
4. repeat the third step
Expected result
===============
both the second and fourth step cannot create servers
Actual result
=============
the second step can create servers successfully |
|