[openstack-dev] [keystone] domain admin role query

Dolph Mathews dolph.mathews at gmail.com
Wed Dec 11 16:04:22 UTC 2013 

On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <jamielennox at redhat.com>wrote:

> Using the default policies it will simply check for the admin role and not
> care about the domain that admin is limited to. This is partially a left
> over from the V2 api when there wasn't domains to worry about.
>
> A better example of policies are in the file
> etc/policy.v3cloudsample.json. In there you will see the rule for
> create_project is:
>
>     "identity:create_project": "rule:admin_required and
> domain_id:%(project.domain_id)s",
>
> as opposed to (in policy.json):
>
>     "identity:create_project": "rule:admin_required",
>
> This is what you are looking for to scope the admin role to a domain.
>
>
We need to start moving the rules from policy.v3cloudsample.json to the
default policy.json =)


>
> Jamie
>
> ----- Original Message -----
> > From: "Ravi Chunduru" <ravivsn at gmail.com>
> > To: "OpenStack Development Mailing List" <
> openstack-dev at lists.openstack.org>
> > Sent: Wednesday, 11 December, 2013 11:23:15 AM
> > Subject: [openstack-dev] [keystone] domain admin role query
> >
> > Hi,
> > I am trying out Keystone V3 APIs and domains.
> > I created an domain, created a project in that domain, created an user in
> > that domain and project.
> > Next, gave an admin role for that user in that domain.
> >
> > I am assuming that user is now admin to that domain.
> > Now, I got a scoped token with that user, domain and project. With that
> > token, I tried to create a new project in that domain. It worked.
> >
> > But, using the same token, I could also create a new project in a
> 'default'
> > domain too. I expected it should throw authentication error. Is it a bug?
> >
> > Thanks,
> > --
> > Ravi
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 

-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131211/381b1214/attachment.html>

More information about the OpenStack-dev mailing list