Skip to content

Instantly share code, notes, and snippets.

@lbragstad

lbragstad/README.md

Last active October 28, 2019 16:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lbragstad/bb0a3646b9286b12448fb28d861da94b to your computer and use it in GitHub Desktop.
Save lbragstad/bb0a3646b9286b12448fb28d861da94b to your computer and use it in GitHub Desktop.
Download ZIP
oslopolicy-checker demo
Raw
README.md

oslopolicy-checker demo

This document describes how you can get the right information to effectively use oslopolicy-checker. The tool requires a token which is evaluated by the oslo.policy enforcer object. You can do this easily by exporting a cloud profile and using python-openstackclient.

~ cat /etc/openstack/clouds.yaml 
clouds:
  devstack-system-admin:
    auth:
      auth_url: http://10.0.3.122/identity
      password: nomoresecret
      system_scope: all
      username: admin
    identity_api_version: '3'
    region_name: RegionOne
    volume_api_version: '3'~ export OS_CLOUD=devstack-system-admin~ openstack token issue --debug
START with options: token issue --debug
options: Namespace(access_key='', access_secret='***', access_token='***', access_token_endpoint='', access_token_type='', application_credential_id='', application_credential_name='', application_credential_secret='***', auth_methods='', auth_type='', auth_url='', cacert=None, cert='', client_id='', client_secret='***', cloud='devstack-system-admin', code='', consumer_key='', consumer_secret='***', debug=True, default_domain='default', default_domain_id='', default_domain_name='', deferred_help=False, discovery_endpoint='', domain_id='', domain_name='', endpoint='', identity_provider='', identity_provider_url='', insecure=None, interface='public', key='', log_file=None, openid_scope='', os_beta_command=False, os_compute_api_version='', os_identity_api_version='', os_image_api_version='', os_key_manager_api_version='1', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', passcode='', password='***', profile='', project_domain_id='', project_domain_name='', project_id='', project_name='', protocol='', redirect_uri='', region_name='', remote_project_domain_id='', remote_project_domain_name='', remote_project_id='', remote_project_name='', service_provider='', service_provider_endpoint='', service_provider_entity_id='', system_scope='', timing=False, token='***', trust_id='', url='', user_domain_id='', user_domain_name='', user_id='', username='', verbose_level=3, verify=None)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
defaults: {u'auth_type': 'password', u'status': u'active', u'image_status_code_retries': 5, u'baremetal_introspection_status_code_retries': 5, 'api_timeout': None, 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': u'public', u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', u'baremetal_status_code_retries': 5, 'verify': True, 'cert': None, u'secgroup_source': u'neutron', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
compute API version 2.1, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 3, cmd group openstack.volume.v3
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
key_manager API version 1, cmd group openstack.key_manager.v1
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'cacert': None, u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, 'timing': False, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'interface': 'public', u'disable_vendor_agent': {}}
command: token issue -> openstackclient.identity.v3.token.IssueToken (auth=True)
Auth plugin password selected
auth_config_hook(): {'auth_type': 'password', 'beta_command': False, u'image_status_code_retries': '5', 'timing': False, 'additional_user_agent': [('osc-lib', '1.13.0')], u'network_api_version': u'2', u'message': u'', u'image_format': u'qcow2', 'networks': [], 'cloud': 'devstack-system-admin', 'verify': True, u'object_store_api_version': u'1', u'status': u'active', 'verbose_level': 3, 'region_name': 'RegionOne', u'baremetal_introspection_status_code_retries': '5', 'api_timeout': None, 'auth': {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}, 'default_domain': 'default', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', 'key': None, u'interface': 'public', 'cacert': None, 'key_manager_api_version': '1', u'baremetal_status_code_retries': '5', 'identity_api_version': '3', 'volume_api_version': '3', 'deferred_help': False, 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
Using auth plugin: password
Using parameters {'username': 'admin', 'system_scope': 'all', 'user_domain_id': 'default', 'auth_url': 'http://10.0.3.122/identity', 'password': '***', 'project_domain_id': 'default'}
Get auth_ref
REQ: curl -g -i -X GET http://10.0.3.122/identity -H "Accept: application/json" -H "User-Agent: openstacksdk/0.34.0 keystoneauth1/3.17.0 python-requests/2.22.0 CPython/2.7.15+"
Starting new HTTP connection (1): 10.0.3.122:80
http://10.0.3.122:80 "GET /identity HTTP/1.1" 300 269
RESP: [300] Connection: close Content-Length: 269 Content-Type: application/json Date: Mon, 28 Oct 2019 16:39:15 GMT Location: http://10.0.3.122/identity/v3/ Server: Apache/2.4.29 (Ubuntu) Vary: X-Auth-Token x-openstack-request-id: req-ea136c69-663f-4ff7-8774-c8bbc00b6a21
RESP BODY: {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://10.0.3.122/identity/v3/", "rel": "self"}]}]}}
GET call to http://10.0.3.122/identity used request id req-ea136c69-663f-4ff7-8774-c8bbc00b6a21
Making authentication request to http://10.0.3.122/identity/v3/auth/tokens
Resetting dropped connection: 10.0.3.122
http://10.0.3.122:80 "POST /identity/v3/auth/tokens HTTP/1.1" 201 1194
{"token": {"methods": ["password"], "roles": [{"id": "7a11d0ba747046d7936fbb8f97dc5cb1", "name": "admin"}, {"id": "a8cd98f2e98d4135b2fa83950d6171ec", "name": "member"}, {"id": "7ee093f4ccf345bba963ce765f9b797f", "name": "reader"}], "system": {"all": true}, "expires_at": "2019-10-28T17:39:15.000000Z", "catalog": [{"endpoints": [{"url": "http://10.0.3.122/image", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "279159944f0843179bb376b4a7ac5c45"}], "type": "image", "id": "24305f1e70ec474d895e409f4b339f18", "name": "glance"}, {"endpoints": [{"url": "http://10.0.3.122/identity", "interface": "admin", "region": "RegionOne", "region_id": "RegionOne", "id": "5ba5cca8ad654f5ea9d633321893d620"}, {"url": "http://10.0.3.122/identity", "interface": "public", "region": "RegionOne", "region_id": "RegionOne", "id": "f3b136a56d1a4839bd1bc50a070f8f86"}], "type": "identity", "id": "da3d368b566b4a9686ddadbb64004c26", "name": "keystone"}], "user": {"domain": {"id": "default", "name": "Default"}, "password_expires_at": null, "name": "admin", "id": "0ec0eb48c66d4fb79c432a2ff8c5d257"}, "audit_ids": ["P5zzDVnVT8KpYE5tRyZbGQ"], "issued_at": "2019-10-28T16:39:15.000000Z"}}
run(Namespace(columns=[], fit_width=False, formatter='table', max_width=0, noindent=False, prefix='', print_empty=False, variables=[]))
+---------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field   | Value                                                                                                                                                              |
+---------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-10-28T17:39:15+0000                                                                                                                                           |
| id      | gAAAAABdtxmz2WNKmr8MN1YrpeUmHStlEYtVBFYCFu7p-pTydw4A_Rx2RGJrojJ_C84fEN6ZOXx7lsoFTjd35D0Ft3hO2_icijtxG-rGk67QlABaI7udZAS29viUmJs-YXsrJr2wZ7JWjf_oM23QJ80Gv_ND2sjXww |
| system  | all                                                                                                                                                                |
| user_id | 0ec0eb48c66d4fb79c432a2ff8c5d257                                                                                                                                   |
+---------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+
clean_up IssueToken: 
END return value: 0

We use --debug when getting the token so that python-openstackclient prints out the entire response. Copy the entire token response into a separate file called token.json. Later, we'll pass this to oslopolicy-checker.

~ cat token.json 
{
    "token": {
        "audit_ids": [
            "0BKTVJgzSgmdH77WtYMZ2A"
        ],
        "catalog": [
            {
                "endpoints": [
                    {
                        "id": "279159944f0843179bb376b4a7ac5c45",
                        "interface": "public",
                        "region": "RegionOne",
                        "region_id": "RegionOne",
                        "url": "http://10.0.3.122/image"
                    }
                ],
                "id": "24305f1e70ec474d895e409f4b339f18",
                "name": "glance",
                "type": "image"
            },
            {
                "endpoints": [
                    {
                        "id": "5ba5cca8ad654f5ea9d633321893d620",
                        "interface": "admin",
                        "region": "RegionOne",
                        "region_id": "RegionOne",
                        "url": "http://10.0.3.122/identity"
                    },
                    {
                        "id": "f3b136a56d1a4839bd1bc50a070f8f86",
                        "interface": "public",
                        "region": "RegionOne",
                        "region_id": "RegionOne",
                        "url": "http://10.0.3.122/identity"
                    }
                ],
                "id": "da3d368b566b4a9686ddadbb64004c26",
                "name": "keystone",
                "type": "identity"
            }
        ],
        "expires_at": "2019-10-28T17:34:03.000000Z",
        "issued_at": "2019-10-28T16:34:03.000000Z",
        "methods": [
            "password"
        ],
        "roles": [
            {
                "id": "7a11d0ba747046d7936fbb8f97dc5cb1",
                "name": "admin"
            },
            {
                "id": "a8cd98f2e98d4135b2fa83950d6171ec",
                "name": "member"
            },
            {
                "id": "7ee093f4ccf345bba963ce765f9b797f",
                "name": "reader"
            }
        ],
        "system": {
            "all": true
        },
        "user": {
            "domain": {
                "id": "default",
                "name": "Default"
            },
            "id": "0ec0eb48c66d4fb79c432a2ff8c5d257",
            "name": "admin",
            "password_expires_at": null
        }
    }
}

Next, invoke the tool and point to a policy file.

~ oslopolicy-checker --policy /etc/keystone/policy.yaml --access token.json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment