[openstack-dev] [keystone] domain admin role query
dolph.mathews at gmail.com
Wed Dec 11 16:04:22 UTC 2013
On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <jamielennox at redhat.com>wrote:
> Using the default policies it will simply check for the admin role and not
> care about the domain that admin is limited to. This is partially a left
> over from the V2 api when there wasn't domains to worry about.
> A better example of policies are in the file
> etc/policy.v3cloudsample.json. In there you will see the rule for
> create_project is:
> "identity:create_project": "rule:admin_required and
> as opposed to (in policy.json):
> "identity:create_project": "rule:admin_required",
> This is what you are looking for to scope the admin role to a domain.
We need to start moving the rules from policy.v3cloudsample.json to the
default policy.json =)
> ----- Original Message -----
> > From: "Ravi Chunduru" <ravivsn at gmail.com>
> > To: "OpenStack Development Mailing List" <
> openstack-dev at lists.openstack.org>
> > Sent: Wednesday, 11 December, 2013 11:23:15 AM
> > Subject: [openstack-dev] [keystone] domain admin role query
> > Hi,
> > I am trying out Keystone V3 APIs and domains.
> > I created an domain, created a project in that domain, created an user in
> > that domain and project.
> > Next, gave an admin role for that user in that domain.
> > I am assuming that user is now admin to that domain.
> > Now, I got a scoped token with that user, domain and project. With that
> > token, I tried to create a new project in that domain. It worked.
> > But, using the same token, I could also create a new project in a
> > domain too. I expected it should throw authentication error. Is it a bug?
> > Thanks,
> > --
> > Ravi
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev