403 error with below policy.json
Hi,
I get below error :
2020-03-23 07:22:57.543 94 ERROR rally return self._next()
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/
2020-03-23 07:22:57.543 94 ERROR rally obj, resp = next(self.
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/
2020-03-23 07:22:57.543 94 ERROR rally for image, resp in paginate(url, page_size, limit):
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/
2020-03-23 07:22:57.543 94 ERROR rally resp, body = self.http_
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/
2020-03-23 07:22:57.543 94 ERROR rally return self.request(url, 'GET', **kwargs)
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/
2020-03-23 07:22:57.543 94 ERROR rally return self._handle_
2020-03-23 07:22:57.543 94 ERROR rally File "/usr/local/
2020-03-23 07:22:57.543 94 ERROR rally raise exc.from_
2020-03-23 07:22:57.543 94 ERROR rally HTTPForbidden: 403 Forbidden: You are not authorized to complete get_images action. (HTTP 403)
with below policy.json:
{
"context_
"context_
"owner": "project_
"admin": "role:image_admin and rule:owner",
"member": "role:member and rule:owner",
"viewer": "role:image_viewer and rule:owner",
"context_
"context_
"context_
"default": "rule:context_
"add_image": "rule:context_
"delete_image": "rule:context_
"get_image": "rule:context_
"get_images": "rule:context_
"modify_image": "rule:context_
"publicize_
"copy_from": "rule:context_
"download_
"upload_image": "rule:context_
"delete_
"get_
"set_
"add_member": "rule:context_
"delete_
"get_member": "rule:context_
"get_members": "rule:context_
"modify_
"manage_
"get_task": "rule:context_
"get_tasks": "rule:context_
"add_task": "rule:context_
"modify_task": "rule:context_
"tasks_
"deactivate": "rule:context_
"reactivate": "rule:context_
"get_
"get_
"modify_
"add_
"get_
"get_
"modify_
"add_
"list_
"get_
"add_
"get_
"get_
"modify_
"add_
"get_
"get_
"modify_
"add_
"add_
}
based on https:/
Please suggest.
Question information
- Language:
- English Edit question
- Status:
- Solved
- For:
- Glance Edit question
- Assignee:
- No assignee Edit question
- Solved by:
- Brian Rosmaita
- Solved:
- 2020-03-25
- Last query:
- 2020-03-25
- Last reply:
- 2020-03-24
Rajiv Mucheli (rajiv.mucheli) said : | #1 |
"context_
resolves the initial errors but not all policy operations.
Rajiv Mucheli (rajiv.mucheli) said : | #2 |
Is it mandatory to use role:admin (keystone) to fix this issue?
Hi Rajiv,
As you can see, writing policies that do what you expect is not trivial. Some tooling has been developed to help. You might want to reach out to the authors of this workshop:
to see if they can point you to the materials they used (they made some tooling and instructions available online, but I can't find them ATM).
So I'm not exactly sure why your file isn't working, but I can answer your question. It should *not* be mandatory to use role:admin to do anything. That being said, Glance is a bit unusual in that you can set a role in glance-api.conf that Glance will recognize unconditionally as having admin-level access. The setting is 'admin_role' and the default is 'admin'. I suggest changing this value to a string, something that you can be sure will never actually be a role name. If you're using this setting at its default value, that would explain why someone with role:admin seems to be able to do everything.
There's some more info about this in a talk I gave a few summits ago:
https:/
I think some of this is mentioned in the Glance docs, but I'm not sure where.
By the way, you probably noticed that the Glance policy doc you referenced is very out-of-date. If you have time to put up a patch with corrections, that would be great! It would save someone else a lot of time. If you don't have time, maybe you could just slap your notes into an etherpad at https:/
Finally, you might want to email the <email address hidden> with a subject line something like '[ops] need help configuring policies' and see if someone can help.
Rajiv Mucheli (rajiv.mucheli) said : | #4 |
Thanks Brian Rosmaita, that solved my question.