403 error with below policy.json

Asked by Rajiv Mucheli on 2020-03-23

Hi,

I get below error :

2020-03-23 07:22:57.543 94 ERROR rally return self._next()
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/utils.py", line 550, in _next
2020-03-23 07:22:57.543 94 ERROR rally obj, resp = next(self._self_wrapped)
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/lib/python2.7/dist-packages/glanceclient/v2/images.py", line 183, in list
2020-03-23 07:22:57.543 94 ERROR rally for image, resp in paginate(url, page_size, limit):
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/lib/python2.7/dist-packages/glanceclient/v2/images.py", line 110, in paginate
2020-03-23 07:22:57.543 94 ERROR rally resp, body = self.http_client.get(next_url, headers=req_id_hdr)
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 386, in get
2020-03-23 07:22:57.543 94 ERROR rally return self.request(url, 'GET', **kwargs)
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/http.py", line 373, in request
2020-03-23 07:22:57.543 94 ERROR rally return self._handle_response(resp)
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/lib/python2.7/dist-packages/glanceclient/common/http.py", line 122, in _handle_response
2020-03-23 07:22:57.543 94 ERROR rally raise exc.from_response(resp, resp.content)
2020-03-23 07:22:57.543 94 ERROR rally HTTPForbidden: 403 Forbidden: You are not authorized to complete get_images action. (HTTP 403)

with below policy.json:

{
    "context_is_cloud_admin": "role:cloud_image_admin",
    "context_is_admin": "rule:context_is_cloud_admin",
    "owner": "project_id:%(project_id)s",
    "admin": "role:image_admin and rule:owner",
    "member": "role:member and rule:owner",
    "viewer": "role:image_viewer and rule:owner",
    "context_is_image_admin": "rule:context_is_admin or rule:admin",
    "context_is_editor": "rule:context_is_image_admin or rule:member",
    "context_is_viewer": "rule:context_is_editor or rule:viewer",
    "default": "rule:context_is_admin",

    "add_image": "rule:context_is_editor",
    "delete_image": "rule:context_is_editor",
    "get_image": "rule:context_is_viewer",
    "get_images": "rule:context_is_viewer",
    "modify_image": "rule:context_is_editor",
    "publicize_image": "rule:context_is_cloud_admin",
    "copy_from": "rule:context_is_editor",

    "download_image": "rule:context_is_editor",
    "upload_image": "rule:context_is_editor",

    "delete_image_location": "rule:context_is_editor",
    "get_image_location": "rule:context_is_viewer",
    "set_image_location": "rule:context_is_editor",

    "add_member": "rule:context_is_editor",
    "delete_member": "rule:context_is_editor",
    "get_member": "rule:context_is_viewer",
    "get_members": "rule:context_is_viewer",
    "modify_member": "rule:context_is_editor",
    "manage_image_cache": "rule:context_is_admin",

    "get_task": "rule:context_is_viewer",
    "get_tasks": "rule:context_is_viewer",
    "add_task": "rule:context_is_editor",
    "modify_task": "rule:context_is_editor",
    "tasks_api_access": "rule:context_is_editor",

    "deactivate": "rule:context_is_editor",
    "reactivate": "rule:context_is_editor",

    "get_metadef_namespace": "rule:context_is_viewer",
    "get_metadef_namespaces": "rule:context_is_viewer",
    "modify_metadef_namespace": "rule:context_is_editor",
    "add_metadef_namespace": "rule:context_is_editor",

    "get_metadef_object": "rule:context_is_viewer",
    "get_metadef_objects": "rule:context_is_viewer",
    "modify_metadef_object": "rule:context_is_editor",
    "add_metadef_object": "rule:context_is_editor",

    "list_metadef_resource_types": "rule:context_is_viewer",
    "get_metadef_resource_type": "rule:context_is_viewer",
    "add_metadef_resource_type_association": "rule:context_is_editor",

    "get_metadef_property": "rule:context_is_viewer",
    "get_metadef_properties": "rule:context_is_viewer",
    "modify_metadef_property": "rule:context_is_editor",
    "add_metadef_property": "rule:context_is_editor",

    "get_metadef_tag": "rule:context_is_viewer",
    "get_metadef_tags": "rule:context_is_viewer",
    "modify_metadef_tag": "rule:context_is_editor",
    "add_metadef_tag": "rule:context_is_editor",
    "add_metadef_tags": "rule:context_is_editor"
}

based on https://docs.openstack.org/glance/latest/admin/policies.html, does role:admin use keystone role:admin ? my intent is not use keystone role:admin.

Please suggest.

Question information

Language:
English Edit question
Status:
Solved
For:
Glance Edit question
Assignee:
No assignee Edit question
Solved by:
Brian Rosmaita
Solved:
2020-03-25
Last query:
2020-03-25
Last reply:
2020-03-24
Rajiv Mucheli (rajiv.mucheli) said : #1

"context_is_image_admin": "rule:context_is_admin or role:admin or rule:admin",

resolves the initial errors but not all policy operations.

Rajiv Mucheli (rajiv.mucheli) said : #2

Is it mandatory to use role:admin (keystone) to fix this issue?

Hi Rajiv,

As you can see, writing policies that do what you expect is not trivial. Some tooling has been developed to help. You might want to reach out to the authors of this workshop:

https://www.openstack.org/summit/denver-2019/summit-schedule/events/23005/access-control-policy-hands-on-lab

to see if they can point you to the materials they used (they made some tooling and instructions available online, but I can't find them ATM).

So I'm not exactly sure why your file isn't working, but I can answer your question. It should *not* be mandatory to use role:admin to do anything. That being said, Glance is a bit unusual in that you can set a role in glance-api.conf that Glance will recognize unconditionally as having admin-level access. The setting is 'admin_role' and the default is 'admin'. I suggest changing this value to a string, something that you can be sure will never actually be a role name. If you're using this setting at its default value, that would explain why someone with role:admin seems to be able to do everything.

There's some more info about this in a talk I gave a few summits ago:
https://www.openstack.org/videos/summits/denver-2019/you-cant-make-a-denver-omelette-without-breaking-eggs-using-openstack-policies-for-great-good

I think some of this is mentioned in the Glance docs, but I'm not sure where.

By the way, you probably noticed that the Glance policy doc you referenced is very out-of-date. If you have time to put up a patch with corrections, that would be great! It would save someone else a lot of time. If you don't have time, maybe you could just slap your notes into an etherpad at https://etherpad.openstack.org and maybe someone else could write them up later.

Finally, you might want to email the <email address hidden> with a subject line something like '[ops] need help configuring policies' and see if someone can help.

Rajiv Mucheli (rajiv.mucheli) said : #4

Thanks Brian Rosmaita, that solved my question.