Page MenuHomePhabricator
Paste P368

Conversation re: roles in keystone and OpenStack
ActivePublic
Actions

Authored by Andrew on Mar 6 2015, 11:14 PM.
andrewbogott: I’m pretty sure that in Havana/Horizon there were two possible views for a given tenant, one for members and one for admins. Now I only see an admin view and can’t find the projects that I belong to but am not admin for.
[4:05pm] andrewbogott: Is that configurable someplace, or am overlooking an obvious widget?
[4:06pm] romainh joined the chat room.
[4:06pm] romainh left the chat room.
[4:07pm] dkorn joined the chat room.
[4:07pm] ericpeterson left the chat room. (Ping timeout: 264 seconds)
[4:07pm] crobertsrh is now known as _crobertsrh.
[4:08pm] radez_g0n3 is now known as radez.
[4:09pm] mattfarina left the chat room. (Quit: My MacBook has gone to sleep. ZZZzzz…)
[4:09pm] david-lyle: andrewbogott: there was no a view but a project selector in the left hand navigation
[4:09pm] david-lyle: it now lives in the header bar
[4:09pm] david-lyle: I think that's what you're looking for?
[4:09pm] andrewbogott: david-lyle: right, but that selector only includes projects that I’m admin for
[4:10pm] andrewbogott: There are projects I’m a member of that I can no longer select.
[4:10pm] andrewbogott: I was imagining some sort of read-only interface for users
[4:10pm] andrewbogott: maybe I’m misremembering how havana behaved
[4:10pm] david-lyle: did you add all these roles in the current session?
[4:10pm] andrewbogott: no...
[4:10pm] andrewbogott: but I will log out and in just to be sure :)
[4:10pm] david-lyle: hmm
[4:11pm] andrewbogott: yeah, still not there
[4:11pm] david-lyle: we may be hiding disabled projects as well
[4:11pm] dkorn left the chat room. (Ping timeout: 252 seconds)
[4:11pm] • david-lyle has a tough time remembering icehouse specifics
[4:11pm] andrewbogott: It’s also possible that my role names are non-standard, if they were renamed anytime since diablo
[4:13pm] andrewbogott: I also don’t have an interface for creating projects/adding members, which makes me think I must have left a section out of my config
[4:13pm] david-lyle: admin is the only role horizon in icehouse looks for to toggle things
[4:14pm] david-lyle: that should be in the admin dashboard in the identity panel group
[4:14pm] david-lyle: as long as you're admin
[4:15pm] r1chardj0n3s is now known as r1chardj0n3s_afk.
[4:15pm] andrewbogott: I have only a ‘compute’ dashboard
[4:15pm] david-lyle: then you do not have the admin role
[4:16pm] andrewbogott: ‘admin role’ is tenant-specific, or some global concept?
[4:16pm] david-lyle: name is 'admin' and applies to the project you are scoped to
[4:17pm] david-lyle: so if your default project (if set) were a project you were not admin you would not see the Admin dashboard
[4:17pm] sbfox left the chat room. (Quit: Leaving.)
[4:17pm] andrewbogott: Ah, but as I said, it /only/ shows projects that I am admin in.
[4:17pm] andrewbogott: So I can be pretty confident that…
[4:18pm] andrewbogott: well — let’s check. what should I look for on the keystone-client commandline to verify this?
[4:18pm] david-lyle: sure
[4:18pm] david-lyle: oops
[4:19pm] andrewbogott: $ keystone --os-tenant-name testlabs role-list
[4:19pm] andrewbogott: +----------------------------------+--------------+
[4:19pm] andrewbogott: | id | name |
[4:19pm] andrewbogott: +----------------------------------+--------------+
[4:19pm] andrewbogott: | 48c33cc399984b9e855cfc1636ddaba9 | admin |
[4:19pm] andrewbogott: | projectadmin | projectadmin |
[4:19pm] andrewbogott: +----------------------------------+--------------+
[4:19pm] andrewbogott: that’s a bad sign
[4:19pm] andrewbogott: it looks like the roles /were/ renamed :(
[4:20pm] david-lyle: yeah 'admin' is the value
[4:20pm] tnovacik joined the chat room.
[4:20pm] david-lyle: we just added the ability to specify a different role name for admin, but that's not in icehouse
[4:21pm] sbfox joined the chat room.
[4:21pm] bpokorny joined the chat room.
[4:21pm] andrewbogott: nor juno, I take it?
[4:22pm] david-lyle: no, sorry
[4:22pm] e0ne joined the chat room.
[4:22pm] andrewbogott: grrr, now I can’t even get keystone to admit that I exist as a user
[4:24pm] jtomasek left the chat room. (Ping timeout: 252 seconds)
[4:24pm] davelowe joined the chat room.
[4:24pm] chlong left the chat room. (Ping timeout: 245 seconds)
[4:25pm] bpokorn__ left the chat room. (Ping timeout: 250 seconds)
[4:25pm] andrewbogott: bah! any idea how to ask keystone what the roles are for a given user? (as opposed to the /current/ user?)
[4:25pm] Piet joined the chat room.
[4:25pm] andrewbogott: nm, found it
[4:26pm] david-lyle: sorry don't hit the CLI very ofter
[4:26pm] david-lyle: *often
[4:27pm] openstackgerrit: Kahou Lei proposed openstack/horizon: Floating IP table should support sorting https://review.openstack.org/162038
[4:28pm] jasongarber left the chat room. (Remote host closed the connection)
[4:30pm] andrewbogott: Is it possible to be a member of a project but have no role at all?
[4:31pm] radez is now known as radez_g0n3.
[4:31pm] david-lyle: no, the role is membership
[4:32pm] dkorn joined the chat room.
[4:32pm] andrewbogott: Hm, keystone user-role-list is returning emptyness for users that I know are in the project
[4:32pm] r1chardj0n3s_afk is now known as r1chardj0n3s.
[4:33pm] andrewbogott: but, ok, one last question: What determines when a user can or cannot create new projects? Is being admin in any project sufficient? (I hope not)
[4:34pm] openstackgerrit: Merged openstack/horizon: Making Resource panel visible where appropriate https://review.openstack.org/159881
[4:35pm] david-lyle: andrewbogott: if I'm scoped (logged into) a project that I have the 'admin' role on, then I can do all the things in icehouse
[4:36pm] david-lyle: I can create users, I can assign roles for that user on any project
[4:36pm] andrewbogott: um… that’s crazy, right? Being able to administrate one project != being able to administrate the whole damn cloud
[4:36pm] david-lyle: it does in openstack
[4:37pm] david-lyle: with keystone v3 API and a new policy file some of that changes
[4:37pm] andrewbogott: How can that be? There are public clouds after all.
[4:37pm] sbfox left the chat room. (Quit: Leaving.)
[4:38pm] david-lyle: andrewbogott: 2 main public clouds based on OpenStack don't use keystone
[4:38pm] david-lyle: the use model is thought to be this
[4:39pm] david-lyle: you the operator own and administer the cloud
[4:39pm] david-lyle: you create all users and projects and assign roles
[4:39pm] tqtran is now known as tqtran_afk.
[4:39pm] david-lyle: then the users can log in and create VMs, networks, etc on the projects they have a role on
[4:40pm] david-lyle: but have no control over authentication rules
[4:40pm] Piet: If you have an hour to spare next week, we're running a moderated card sort study using google hangouts to validate the Horizon information architecture - sign up here http://doodle.com/xs6ixvh9es7dkgc4
[4:40pm] andrewbogott: david-lyle: Here are the roles as currently implemented in my (openstack-based!) cloud:
[4:40pm] andrewbogott: - ‘users’ can access all instances in a tenant but not create new instances
[4:41pm] andrewbogott: - ‘projectadmin’ can add/remove members from their project, and create and delete instances
[4:41pm] julim joined the chat room.
[4:41pm] andrewbogott: - ‘cloudadmin’ can create projects and hence, do all those other things
[4:42pm] andrewbogott: So, maybe ‘cloudadmin’ is what OS calls ‘admin’
[4:42pm] david-lyle: then you are using keystone v3 and a modified policy file?
[4:42pm] andrewbogott: and ‘projectadmin’ is what OS calls ‘member’
[4:42pm] andrewbogott: Nope, this has been how we ran it since diablo
[4:42pm] andrewbogott: But with a custom UI. so maybe all these policies are implemented in the UI and ignore keystone rights altogether...
[4:42pm] andrewbogott: although we certainly use keystone auth to log into the UI
[4:43pm] andrewbogott: but, ok, it seems like ‘cloudadmin’ in my cloud == ‘admin’ in OS
[4:43pm] david-lyle: andrewbogott: but it's just the UI that's blocking access control
[4:43pm] andrewbogott: and ‘projectadmin’ == member in OS
[4:43pm] andrewbogott: and OS just doesn’t have a concept of what we call a ‘member'
[4:43pm] andrewbogott: david-lyle: it must just be enforced by the gui, I haven’t thought about it that hard.
[4:44pm] andrewbogott: Crap, this means adopting horizon is going to be ugly :(
[4:44pm] david-lyle: you are elevating privilege somehow for projectadmin users
[4:44pm] david-lyle: andrewbogott: we're actually working very hard to fix all that
[4:44pm] andrewbogott: must be, yeah.
[4:44pm] sbfox joined the chat room.
[4:45pm] david-lyle: let me grab some patches
[4:45pm] david-lyle: just a sec
[4:46pm] andrewbogott: david-lyle: working to fix in kilo, or for L?
[4:46pm] david-lyle: https://review.openstack.org/#/c/141153/ and https://review.openstack.org/#/c/148082/
[4:46pm] david-lyle: working for Kilo, running out of runway
[4:46pm] tqtran_afk left the chat room. (Ping timeout: 256 seconds)
[4:47pm] david-lyle: but it introduces another identity concept, domains
[4:47pm] david-lyle: which has been in keystone since Grizzly
[4:47pm] david-lyle: but, domains are essentially how you're treating projects
[4:48pm] david-lyle: so the roles are shlub (member), domain admin and cloud admin
[4:48pm] andrewbogott: how do domains differ from tenants?
[4:49pm] david-lyle: basically a super-tenant
[4:49pm] openstackgerrit: Dan Nguyen proposed openstack/horizon: Add example keystone v3 policy file to horizon https://review.openstack.org/162325
[4:50pm] david-lyle: another container
[4:50pm] lhcheng: **spatial tenant
[4:50pm] andrewbogott: david-lyle: ah, because what you’re calling ‘shlub’ is /already/ a tenant admin in my lingo
[4:50pm] david-lyle: no, just user
[4:50pm] david-lyle: well maybe
[4:50pm] andrewbogott: then why is there not a tenant admin role?
[4:51pm] david-lyle: what can our user do?
[4:51pm] david-lyle: spin up VMs, etc?
[4:51pm] david-lyle: that's just user
[4:51pm] david-lyle: or "member'
[4:51pm] andrewbogott: Is there any role that means ‘I can change members of this tenant’?
[4:51pm] andrewbogott: Or just ‘I can change members of <some> tenants’?
[4:52pm] openstackgerrit: Doug Fish proposed openstack/django_openstack_auth: WIP: K2K federation https://review.openstack.org/159910
[4:53pm] david-lyle: just from the domain admin level
[4:53pm] andrewbogott: weird
[4:53pm] andrewbogott: and there’s still no concept of ‘can login to vms but not create them’]
[4:53pm] david-lyle: keystone is actually attempting to squash out domains (if I understand the flavor of the week)
[4:54pm] david-lyle: you would just do that with a keypair or username and password on the VM
[4:54pm] andrewbogott: ‘squash out’ in what sense?
[4:54pm] peristeri left the chat room. (Remote host closed the connection)
[4:54pm] david-lyle: or are you using the consoles
[4:54pm] david-lyle: well, you're not using horizon, so what are you wanting this third class of user to be able to do?
[4:55pm] andrewbogott: david-lyle: nah, keypair/username works, just it would be nice to be able to administrate that from horizon
[4:55pm] david-lyle: the tenant owner can add users on the OS instance
[4:55pm] david-lyle: could access through the console in horizon
[4:56pm] david-lyle: but we don't modify user credentials on the VMs directly
[4:56pm] andrewbogott: ‘tenant owner’?
[4:56pm] david-lyle: I think it's broader
[4:56pm] david-lyle: anyone who has a role on the tenant
[4:58pm] david-lyle: are you doing useradd from your UI?
[4:58pm] andrewbogott: well, my current design is kind of a 9-headed monster.
[4:59pm] andrewbogott: Ldap backs everything — access on machines and also keystone.
[4:59pm] david-lyle: oh, so you do user permission changes directly in ldap
[4:59pm] iamjarvo left the chat room. (Quit: My MacBook has gone to sleep. ZZZzzz…)
[4:59pm] david-lyle: not your UI
[5:00pm] david-lyle: or you use ldap for users on the VMs
[5:00pm] andrewbogott: Right, the VMs use ldap auth
[5:01pm] andrewbogott: And the UI reads/writes from/to ldap.
[5:01pm] david-lyle: oh the UI writes to ldap, so you've mapped your roles
[5:01pm] andrewbogott: right.
[5:01pm] david-lyle: that's been a difficult thing to generalize
[5:02pm] andrewbogott: All of this was implemented before horizon (and most of keystone) existed.
[5:02pm] andrewbogott: I guess I should’ve been keeping an eye out so that keystone’s development included my use case :(
[5:03pm] ericpeterson joined the chat room.
[5:03pm] david-lyle: andrewbogott: they've thought a lot about it, like I say though hard to have a generic mapping mechanism
[5:03pm] david-lyle: not so bad for one installation
[5:04pm] andrewbogott: It sounds like I need two things —
[5:04pm] andrewbogott: 1) domain admins (or something like that) that lets me limit a user’s influence to a single tenant
[5:05pm] andrewbogott: 2) a new dashboard that controls ‘peon’ users within ldap, who don’t necessarily even exist in keystone as members of any projects.
[5:06pm] andrewbogott: At which point what you’re calling an ‘admin’ will be what we call a ‘cloud admin’
[5:06pm] david-lyle: well member may be your projectadmin other than your custom ldap work
[5:06pm] david-lyle: which you could use RBAC to control
[5:06pm] david-lyle: access to
[5:06pm] andrewbogott: hm, true — if ‘member’ has access to the peon dashboard.
[5:06pm] andrewbogott: they couldn’t add/remove other members.
[5:06pm] andrewbogott: but they could, peons.
[5:06pm] andrewbogott: So that’s a slight change from our current use but might be acceptable.
[5:06pm] david-lyle: yup
[5:07pm] andrewbogott: (right now if you’re a projectadmin you’re god of that project, including the ability to create/remove other projectadmins. Saves wear-and-tear on the cloudadmins.)
[5:07pm] andrewbogott: Which, if I understand correctly, I could create domain admins and just define each domain to be == a single tenant
[5:07pm] ericpeterson left the chat room. (Ping timeout: 246 seconds)
[5:07pm] andrewbogott: at which point a domain admin would be the same as a projectadmin
[5:08pm] andrewbogott: Unless keystone abolishes domains, which you mentioned earlier and which seems to… negate everything else you said about domains :)
[5:09pm] david-lyle: andrewbogott: I think so, and if domains go away, there will still be a hierarchy that you could use
[5:10pm] david-lyle: tenants are becoming hierarchical
[5:10pm] andrewbogott: ok. And you think it’s vaguely possible that this will role out in K?
[5:10pm] andrewbogott: you mean, tenants in tenants?
[5:10pm] david-lyle: vaguely yes
[5:10pm] andrewbogott: :/ ok
[5:10pm] david-lyle: yes to tenants in tenants
[5:10pm] david-lyle: that's somewhat in Keystone now, will be in other projects in L
[5:10pm] mpavlase left the chat room. (Quit: Leaving.)
[5:11pm] andrewbogott: ok
[5:11pm] andrewbogott: I’m still super surprised that ‘public cloud’ is not a user case that the Keystone people considered until today. But my eyebrows will settle down eventually.
[5:11pm] andrewbogott: david-lyle: thank you for talking this through with me
[5:12pm] tnovacik left the chat room. (Ping timeout: 265 seconds)
[5:12pm] david-lyle: sure, the domain model was intended for things like public cloud, but that's as far as it got
[5:12pm] andrewbogott: david-lyle: do you object to my c/p’ing this conversation and posting it in a potentially public place?
[5:13pm] david-lyle: hard to connect the dots through all the projects in openstack
[5:13pm] david-lyle: no, that's fine, I assume this channel is logged by someone (not officially)
[5:13pm] david-lyle: so it's yours to do with as you please
[5:13pm] andrewbogott: Due to us having adopted a new bugtracker I’m not longer clear on if there’s a distinction between ‘my coworkers’ and ‘everyone in the world’ :)
[5:13pm] andrewbogott: thanks

Event Timeline

Andrew edited the content of this paste. (Show Details)Mar 6 2015, 11:14 PM
Andrew changed the title of this paste from untitled to Conversation re: roles in keystone and OpenStack.
Andrew updated the paste's language from autodetect to autodetect.
Andrew added a project: Cloud-Services.
Lydia_Pintscher mentioned this in T160036: Wikidata_Sandbox is not showing results for {{#property:Pxx}} .Mar 9 2017, 9:17 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL