手动 Openstack 安装:警告:......服务“身份"没有政策规则 [英] Manual Openstack Install: WARNING: ... No Policy rules for service 'identity'
问题描述
手动安装 Openstack Train 版本.
当以非管理员角色登录 Horizon 仪表板并点击仪表板时,右上角会弹出错误.
具体来说,Under Compute >图片出现两个错误:
- 错误:禁止.请求的操作权限不足
- 错误:无法检索项目
查看 httpd 的 error_log,它一遍又一遍地显示这些错误:
警告 openstack_auth.policy/usr/share/openstack-dashboard/openstack_dashboard/conf/neutron_policy.json 中没有服务网络"的策略规则警告 openstack_auth.policy/usr/share/openstack-dashboard/openstack_dashboard/conf/keystone_policy.json 中没有服务身份"的策略规则当试图去/usr/share/openstack-dashboard/openstack_dashboard/并查看 keystone_policy.json 或 neutron_policy.json conf 目录丢失,文件也丢失.
Openstack 声明每个服务都有自己的 policy.json 文件(如果使用较新版本,则为 yaml).Openstack 文档但是,当我转到服务文件时,它们是空的.我的问题是是否简单地创建了这些 policy.json 文件?Openstack 文档声明不建议更改 policy.json 文件,这让我认为这是一个错误.其他人是否遇到过类似的问题?
更新
我已经在 /usr/share/openstack-dashboard/openstack_dashboard 下创建了 conf 目录.然后,我使用 oslo 生成器使用以下命令为 每个 服务创建新的策略文件:oslopolicy-policy-generator --namespace keystone --output-file keystone_policy.json
我重新启动了 apache 并以管理员身份登录到 Horizo n,发现我的管理员用户无法创建项目、用户或角色.
目前在这个问题上停留了大约一个星期.
有人遇到过类似的问题吗?
所以看起来 yaml 文件在 Train 版本中可能无法正常工作.
oslopolicy-policy-generator --namespace keystone --output-file keystone_policy.json 命令生成一个以 .json 结尾的文件,但实际上看起来像 yaml snytax.
当放置在 /usr/share/openstack-dashboard/openstack_dashboard/conf 文件夹中时,策略文件未正确应用.
以下命令最终解决了我所有的策略文件问题:
oslopolicy-policy-upgrade \--config-file/etc/keystone/keystone.conf \--格式化json\--命名空间基石\--output-file keystone_policy_2.json \--policy keystone_policy.json在检查 /var/log/keystone/keystone.log 时发现以下消息:发现已弃用的政策规则.使用 oslopolicy-policy-generator 和 oslopolicy-policy-upgrade 来检测和解决配置中已弃用的策略. 这就是促使使用 oslopolicy-policy-upgrade -h
还要确保 /openstack_dashboard/defaults.py 说明以下内容:
POLICY_FILES = {'身份':'keystone_policy.json','计算':'nova_policy.json','卷':'cinder_policy.json','image': 'glance_policy.json','网络':'neutron_policy.json',}我想指出这两个不同的命令输出了两个不同的 keystone_policy.json 文件.第一个命令有很多关于 system_scope:all 的提及,第二个命令有更简单的规则,例如:identity:list_users_in_group":rule:admin_required".那么这可能与使用 IdentityV3 还是 V2 有关?
我不确定.但我很高兴正确应用了权限.
Installed Openstack Train release manually.
When logged into the Horizon Dashboard as a non-admin role and clicking through the dashboard there are errors that pop up on the top right hand corner.
Specifically, Under Compute > Images there are two errors that occur:
- Error: Forbidden. Insufficient permissions of the requested operation
- Error: Unable to retrieve the project
Looking in the error_log for httpd it shows these errors over and over again:
WARNING openstack_auth.policy No policy rules for service 'network' in /usr/share/openstack-dashboard/openstack_dashboard/conf/neutron_policy.json
WARNING openstack_auth.policy No policy rules for service 'identity' in /usr/share/openstack-dashboard/openstack_dashboard/conf/keystone_policy.json
When attempting to go to /usr/share/openstack-dashboard/openstack_dashboard/
and look at keystone_policy.json or neutron_policy.json the conf directory is missing and so are the files.
Openstack states that each service has their own policy.json file(or yaml if using the newer version).Openstack Documentation However, when I go to the services files they are empty. My question is does one simply create these policy.json files? Openstack documentation states it is not recommended to change the policy.json files which makes me think this is a bug. Have others experienced similar issues?
UPDATE
I have since created the conf directory under /usr/share/openstack-dashboard/openstack_dashboard. I then used the oslo generator to create new policy files for each service using the following command: oslopolicy-policy-generator --namespace keystone --output-file keystone_policy.json
I restarted apache and logged into horizon as an admin and realized my admin user is not able to create projects, users, or roles.
Currently been stuck on this for about a week.
Anyone having similar issues?
So it looks like yaml files may not be working properly in the Train release.
The oslopolicy-policy-generator --namespace keystone --output-file keystone_policy.json command generates a file ending in .json but looks like actually yaml snytax.
When placed in the /usr/share/openstack-dashboard/openstack_dashboard/conf folder the policy file isnt applied correctly.
The following command is what finally fixed all of my issues with policy files:
oslopolicy-policy-upgrade \
--config-file /etc/keystone/keystone.conf \
--format json \
--namespace keystone \
--output-file keystone_policy_2.json \
--policy keystone_policy.json
When checking /var/log/keystone/keystone.log the following message was noticed:
Deprecated policy rules found. Use oslopolicy-policy-generator and oslopolicy-policy-upgrade to detect and resolve deprecated policies in your configuration. That is what prompted the use of oslopolicy-policy-upgrade -h
Also made sure that /openstack_dashboard/defaults.py said the following:
POLICY_FILES = {
'identity': 'keystone_policy.json',
'compute': 'nova_policy.json',
'volume': 'cinder_policy.json',
'image': 'glance_policy.json',
'network': 'neutron_policy.json',
}
I want to point out that those two different commands ouputed two different keystone_policy.json files. The first command has a lot of mention about system_scope:all and the second command has simpler rules like: "identity:list_users_in_group": "rule:admin_required". So maybe this had to do with using IdentityV3 vs V2?
That much I am not sure. But I am glad permissions are being applied correctly.
这篇关于手动 Openstack 安装:警告:......服务“身份"没有政策规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
