2022-09-15 01:50:35 |
Linda Guo |
description |
By default, only project admin is allowed to update quota, I tried to override neutron-api policy to allow a user with admin role on domain to set quota for network but it doesn't work. I am not sure if this is keystone bug or neutron-api bug
>> neutron-api override policy
"admin_required": "role:admin",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s"
"get_quota": "rule: admin_and_matching_domain_id"
"update_quota": "rule: admin_and_matching_domain_id"
"delete_quota": "rule: admin_and_matching_domain_id"
'openstack quota set' returned error:
$ openstack quota set --floating-ips 51 1508ac11c7bb41378c09808a1acc8ad6
HttpException: 403: Client Error for url: https://10.5.3.191:9696/v2.0/quotas/1508ac11c7bb41378c09808a1acc8ad6, rule:update_quota is disallowed by policy
$ openstack role assignment list --names --user test-user
+--------+------------------------+-------+---------------------------+--------------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+------------------------+-------+---------------------------+--------------+--------+-----------+
| member | test-user@admin_domain | | test-project@admin_domain | | | False |
| Admin | test-user@admin_domain | | | admin_domain | | False |
+--------+------------------------+-------+---------------------------+--------------+--------+-----------+ |
By default, only project admin is allowed to update quota, I tried to override neutron-api policy to allow a user with admin role on domain to set quota for network but it doesn't work. I am not sure if this is keystone bug or neutron-api bug
>> neutron-api override policy
"admin_required": "role:admin",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s"
"get_quota": "rule: admin_and_matching_domain_id"
"update_quota": "rule: admin_and_matching_domain_id"
"delete_quota": "rule: admin_and_matching_domain_id"
>>'openstack quota set' returned error:
$ openstack quota set --floating-ips 51 1508ac11c7bb41378c09808a1acc8ad6
HttpException: 403: Client Error for url: https://10.5.3.191:9696/v2.0/quotas/1508ac11c7bb41378c09808a1acc8ad6, rule:update_quota is disallowed by policy
>>user role assignment
$ openstack role assignment list --names --user test-user
+--------+------------------------+-------+---------------------------+--------------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+------------------------+-------+---------------------------+--------------+--------+-----------+
| member | test-user@admin_domain | | test-project@admin_domain | | | False |
| Admin | test-user@admin_domain | | | admin_domain | | False |
+--------+------------------------+-------+---------------------------+--------------+--------+-----------+ |
|