[openstack-dev] [keystone] domain admin role query

Paul Belanger paul.belanger at polybeacon.com
Thu Dec 12 03:11:24 UTC 2013

On 13-12-11 11:18 AM, Lyle, David wrote:
> +1 on moving the domain admin role rules to the default policy.json
> -David Lyle
> From: Dolph Mathews [mailto:dolph.mathews at gmail.com]
> Sent: Wednesday, December 11, 2013 9:04 AM
> To: OpenStack Development Mailing List (not for usage questions)
> Subject: Re: [openstack-dev] [keystone] domain admin role query
> On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <jamielennox at redhat.com> wrote:
> Using the default policies it will simply check for the admin role and not care about the domain that admin is limited to. This is partially a left over from the V2 api when there wasn't domains to worry > about.
> A better example of policies are in the file etc/policy.v3cloudsample.json. In there you will see the rule for create_project is:
>      "identity:create_project": "rule:admin_required and domain_id:%(project.domain_id)s",
> as opposed to (in policy.json):
>      "identity:create_project": "rule:admin_required",
> This is what you are looking for to scope the admin role to a domain.
> We need to start moving the rules from policy.v3cloudsample.json to the default policy.json =)
> Jamie
> ----- Original Message -----
>> From: "Ravi Chunduru" <ravivsn at gmail.com>
>> To: "OpenStack Development Mailing List" <openstack-dev at lists.openstack.org>
>> Sent: Wednesday, 11 December, 2013 11:23:15 AM
>> Subject: [openstack-dev] [keystone] domain admin role query
>> Hi,
>> I am trying out Keystone V3 APIs and domains.
>> I created an domain, created a project in that domain, created an user in
>> that domain and project.
>> Next, gave an admin role for that user in that domain.
>> I am assuming that user is now admin to that domain.
>> Now, I got a scoped token with that user, domain and project. With that
>> token, I tried to create a new project in that domain. It worked.
>> But, using the same token, I could also create a new project in a 'default'
>> domain too. I expected it should throw authentication error. Is it a bug?
>> Thanks,
>> --
>> Ravi

One of the issues I had this week while using the 
policy.v3cloudsample.json was I had no easy way of creating a domain 
with the id of 'admin_domain_id'.  I basically had to modify the SQL 
directly to do it.

Any chance we can create a 2nd domain using 'admin_domain_id' via 
keystone-manage sync_db?

Paul Belanger | PolyBeacon, Inc.
Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
Github: https://github.com/pabelanger | Twitter: 

More information about the OpenStack-dev mailing list