[openstack-dev] [keystone] domain admin role query

Jamie Lennox jamielennox at redhat.com
Wed Dec 11 04:49:03 UTC 2013

Using the default policies it will simply check for the admin role and not care about the domain that admin is limited to. This is partially a left over from the V2 api when there wasn't domains to worry about.

A better example of policies are in the file etc/policy.v3cloudsample.json. In there you will see the rule for create_project is: 

    "identity:create_project": "rule:admin_required and domain_id:%(project.domain_id)s",

as opposed to (in policy.json): 

    "identity:create_project": "rule:admin_required",

This is what you are looking for to scope the admin role to a domain. 


----- Original Message -----
> From: "Ravi Chunduru" <ravivsn at gmail.com>
> To: "OpenStack Development Mailing List" <openstack-dev at lists.openstack.org>
> Sent: Wednesday, 11 December, 2013 11:23:15 AM
> Subject: [openstack-dev] [keystone] domain admin role query
> Hi,
> I am trying out Keystone V3 APIs and domains.
> I created an domain, created a project in that domain, created an user in
> that domain and project.
> Next, gave an admin role for that user in that domain.
> I am assuming that user is now admin to that domain.
> Now, I got a scoped token with that user, domain and project. With that
> token, I tried to create a new project in that domain. It worked.
> But, using the same token, I could also create a new project in a 'default'
> domain too. I expected it should throw authentication error. Is it a bug?
> Thanks,
> --
> Ravi
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list