| *** mattoliverau has joined #openstack-upstream-institute | 01:38 | |
| *** irclogbot_1 has quit IRC | 06:29 | |
| *** irclogbot_3 has joined #openstack-upstream-institute | 07:30 | |
| *** gbutnaru has joined #openstack-upstream-institute | 13:39 | |
| *** Andreas681 has joined #openstack-upstream-institute | 13:49 | |
| Andreas681 | Hello. I'm trying to make a horizon panel that will list all policies in keystone. I've found this `oslopolicy-policy-generator --namespace keystone --output-file policy.yaml` and it will generate all the default policies, but that is not my intention, since this will override all he existing policies. Is there a function or a module that i can use | 13:54 |
|---|---|---|
| Andreas681 | to call and retrieve back policies as an object? | 13:54 |
| Andreas681 | Ive tried this `$ source admin-openrc.sh` | 13:54 |
| Andreas681 | `openstack access rule list --user=admin` | 13:54 |
| Andreas681 | and it doesnt return anything, however, if I do like this | 13:54 |
| Andreas681 | `openstack access rule list --user=demo` | 13:55 |
| Andreas681 | Ill get this: `You are not authorized to perform the requested action: identity:list_access_rules. (HTTP 403) (Request-ID: req-77ce6190-2932-4f0c-b6f3-d8aebe43680b` | 13:55 |
| ildikov | Andreas681: it looks like the list you are trying to retrieve is empty | 14:37 |
| gmann | Andreas681: in case you missed the reply yesterday: | 14:53 |
| gmann | this tool would overwrite the already defined policy. this tool fetch all the policies riles from policy file and merge them with the defaults which are not in file. | 14:53 |
| gmann | 12:04 PM this is where we take care of file rules - https://github.com/openstack/oslo.policy/blob/c3868371212597069e4614d9ae05fe7cd0358ca1/oslo_policy/generator.py#L294-L299 | 14:53 |
| gmann | and 403 might be due to override rule. did you override list_access_rules rule ? default value is 'system reader or owner' in new policy or admin or owner depends on which openstack release you are using | 14:56 |
| Andreas681 | Hm | 15:11 |
| gmann | you are using openstack ussuri ? | 15:13 |
| Andreas681 | So normally there is no `policy.yaml`file, instead all the policies are "baked" into code? Is there any function I can use to list the current policies that are put in place? | 15:13 |
| Andreas681 | I'm using devstack | 15:13 |
| Andreas681 | Never heard of ussuri, so I guess I don't use it | 15:14 |
| gmann | ussuri is master branch. if you are using devstack master then it is master | 15:14 |
| gmann | let me check if old default rules are still deprecated or removed. if removed then, you need system scope also | 15:15 |
| Andreas681 | Ok I see. I'm working on a student project and my goal is to list all the policies in a nice manner in a horizon panel. But I can't really figure out how to extract the policies when there is no file that contains the policies. | 15:16 |
| Andreas681 | And I've seen that there are two types, RuleDefault, and DocumentedRuleDefault. I guess it would be even better if the policy are listed as an object, with a detailed description. | 15:18 |
| Andreas681 | Never worked with policies before, so I dont know how the traditional way to display them are | 15:19 |
| Andreas681 | It would be a disaster if someone that would use my plugin would get their policies overwritten, so I'm really trying to figure out how to extract the configured policies, within that system, and then list them :] | 15:27 |
| gmann | DocumentedRuleDefault is one that has the description and all. | 15:30 |
| Andreas681 | yes, that's the one I'm planning to list. | 15:31 |
| Andreas681 | I'm just gonna list the policies in keystone, for starters | 15:32 |
| gmann | you can use that tool to generate or there are documents also. let me check | 15:35 |
| Andreas681 | cheers | 15:36 |
| gmann | Andreas681: here you go. these doc are generated from oslopolicy-policy-generator tool (it is modified at the same time any change in policy so you can rely on them as latest) | 15:38 |
| gmann | keystone: https://docs.openstack.org/keystone/latest/configuration/policy.html | 15:38 |
| gmann | Nova: https://docs.openstack.org/nova/latest/configuration/policy.html | 15:38 |
| gmann | you can find the sample file also - https://docs.openstack.org/keystone/latest/configuration/samples/policy-yaml.html | 15:39 |
| gmann | same you can find for all other projects | 15:39 |
| Andreas681 | yes, I've been on those pages but I guess the answer flew past my head | 15:40 |
| Andreas681 | So what's the syntax to generate DocumentedRuleDefault? | 15:40 |
| Andreas681 | Ive only got this to work `oslopolicy-policy-generator --namespace keystone --output-file policy.yaml` | 15:40 |
| gmann | yes this is correct. | 15:41 |
| Andreas681 | yes, but this one doesn't give me the documented version | 15:42 |
| Andreas681 | It lists 200 policies looking like this | 15:42 |
| Andreas681 | "identity:update_consumer": "role:admin and system_scope:all" | 15:42 |
| Andreas681 | and so on | 15:43 |
| gmann | this will give you the sample file (same as linked before) | 15:43 |
| Andreas681 | yes, and it also overwrites the existing policies, right? | 15:44 |
| gmann | Andreas681: it should have document also. like this: | 15:44 |
| gmann | # DEPRECATED "identity:create_consumer":"rule:admin_required" has been | 15:44 |
| gmann | # deprecated since T in favor of | 15:44 |
| gmann | # "identity:create_consumer":"role:admin and system_scope:all". The | 15:44 |
| gmann | # OAUTH1 consumer API is now aware of system scope and default roles. | 15:44 |
| gmann | # Update OAUTH1 consumer. | 15:44 |
| gmann | # PATCH /v3/OS-OAUTH1/consumers/{consumer_id} | 15:44 |
| gmann | # Intended scope(s): system | 15:44 |
| gmann | #"identity:update_consumer": "role:admin and system_scope:all" | 15:44 |
| Andreas681 | It doesn't | 15:44 |
| Andreas681 | It looks like this: | 15:45 |
| Andreas681 | "identity:get_endpoint": "role:reader and system_scope:all" | 15:45 |
| Andreas681 | All the way through | 15:45 |
| gmann | Andreas681: no, if there is policy file exist and policy rules present in that file will not be overwrite. | 15:45 |
| gmann | Andreas681: humm, let me try | 15:45 |
| gmann | existing rules are not modified by this tool. it will just append the one not in file and present in code | 15:46 |
| Andreas681 | Oohh | 15:46 |
| gmann | Andreas681: give me 5 min, booting VM | 15:47 |
| Andreas681 | Cheers buddy | 15:47 |
| Andreas681 | Does it matter where this `policy.yaml`-file is located? or are there any preferred locations such as `/etc/keystone/` or `/opt/stack/horizon/` | 15:50 |
| *** matt_kosut has quit IRC | 16:00 | |
| *** matt_kosut has joined #openstack-upstream-institute | 16:00 | |
| Andreas681 | It could be that the description texts are omitted in the output-file, and only spitted out in the terminal | 16:05 |
| Andreas681 | Looks like that part is left out in the terminal. I just remade the `policy.yam`-file | 16:16 |
| Andreas681 | usr/local/lib/python3.6/dist-packages/oslo_policy/policy.py:706: UserWarning: Policy "identity:delete_user":"rule:admin_required" was deprecated in S in favor of "identity:delete_user":"(role:admin and system_scope:all) or (role:admin and token.domain.id:%(target.user.domain_id)s)". Reason: The user API is now aware of system scope and default | 16:16 |
| Andreas681 | roles.. Either ensure your deployment is ready for the new default or copy/paste the deprecated policy into your policy file and maintain it manually. | 16:16 |
| Andreas681 | warnings.warn(deprecated_msg) | 16:16 |
| Andreas681 | Andreascn@andreaspoliciesserver:/etc/keystone$ | 16:16 |
| Andreas681 | The terminal is flooded with this, instead of ending up in the output-file | 16:17 |
| gmann | Andreas681: ok, i got why you did not get documented rules. we have two tool actually, the one you are using is just outputting the rules without document and this one oslopolicy-sample-generator will generate sample file with document - https://docs.openstack.org/oslo.policy/latest/user/usage.html#sample-file-generation | 16:27 |
| gmann | oslopolicy-policy-generator tool will show what policies are used in your env which is nothing but existing policy in file + defaults in code | 16:28 |
| Andreas681 | Oh wow, I've seen that tool before.. but the name "sample" made me think it was just a sample/example | 16:30 |
| Andreas681 | Now I got it, thanks! | 16:30 |
| gmann | Andreas681: :) yeah name is like that. | 16:31 |
| Andreas681 | gmann Does it matter where this `policy.yaml`-file is located? or are there any preferred locations such as `/etc/keystone/` or `/opt/stack/horizon/` | 16:32 |
| Andreas681 | Also, there is something strange. With `oslopolicy-sample-generator --namespace keystone --output-file policy.yaml` it does generate policies, but there is only 8 lines that is active, the rest of the lines and commented out D: | 16:35 |
| gmann | Andreas681: not really. path is configurable CONF.policy_file | 16:36 |
| Andreas681 | Got it! | 16:36 |
| gmann | that you can configure this per service | 16:36 |
| gmann | Andreas681: yeah sample file is all commented and you can uncomment the one you want to override | 16:36 |
| gmann | usually, it helps operators to know what all policies are overridden and what all are default to what all users | 16:38 |
| Andreas681 | I see I see, now I got something to chew into. Thanks a lot for your help and time <3 | 16:39 |
| gmann | np! | 16:39 |
| *** Andreas681 has quit IRC | 16:58 | |
| *** matt_kosut has quit IRC | 21:01 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!