[openstack-dev] [keystone] domain admin role query

Dolph Mathews dolph.mathews at gmail.com
Wed Dec 18 19:39:18 UTC 2013 

On Wed, Dec 18, 2013 at 12:48 PM, Ravi Chunduru <ravivsn at gmail.com> wrote:

> Thanks all for the information.
> I have now v3 policies in place, the issue is that as a domain admin I
> could not create a project in the domain. I get 403 unauthorized status.
>
> I see that when as a  'domain admin' request a token, the response did not
> have any roles.  In the token request, I couldnt specify the project - as
> we are about to create the project in next step.
>

Specify a domain as the "scope" to obtain domain-level authorization in the
resulting token.

See the third example under Scope:


https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#scope-scope


>
> Here is the complete request/response of all the steps done.
> https://gist.github.com/kumarcv/8015275
>
> I am assuming its a bug. Please let me know your opinions.
>
> Thanks,
> -Ravi.
>
>
>
>
> On Thu, Dec 12, 2013 at 3:00 PM, Henry Nash <henryn at linux.vnet.ibm.com>wrote:
>
>> Hi
>>
>> So the idea wasn't the you create a domain with the id of
>> 'domain_admin_id', rather that you create the domain that you plan to use
>> for your admin domain, and then paste its (auto-generated) domain_id into
>> the policy file.
>>
>> Henry
>> On 12 Dec 2013, at 03:11, Paul Belanger <paul.belanger at polybeacon.com>
>> wrote:
>>
>> > On 13-12-11 11:18 AM, Lyle, David wrote:
>> >> +1 on moving the domain admin role rules to the default policy.json
>> >>
>> >> -David Lyle
>> >>
>> >> From: Dolph Mathews [mailto:dolph.mathews at gmail.com]
>> >> Sent: Wednesday, December 11, 2013 9:04 AM
>> >> To: OpenStack Development Mailing List (not for usage questions)
>> >> Subject: Re: [openstack-dev] [keystone] domain admin role query
>> >>
>> >>
>> >> On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <jamielennox at redhat.com>
>> wrote:
>> >> Using the default policies it will simply check for the admin role and
>> not care about the domain that admin is limited to. This is partially a
>> left over from the V2 api when there wasn't domains to worry > about.
>> >>
>> >> A better example of policies are in the file
>> etc/policy.v3cloudsample.json. In there you will see the rule for
>> create_project is:
>> >>
>> >>   "identity:create_project": "rule:admin_required and
>> domain_id:%(project.domain_id)s",
>> >>
>> >> as opposed to (in policy.json):
>> >>
>> >>   "identity:create_project": "rule:admin_required",
>> >>
>> >> This is what you are looking for to scope the admin role to a domain.
>> >>
>> >> We need to start moving the rules from policy.v3cloudsample.json to
>> the default policy.json =)
>> >>
>> >>
>> >> Jamie
>> >>
>> >> ----- Original Message -----
>> >>> From: "Ravi Chunduru" <ravivsn at gmail.com>
>> >>> To: "OpenStack Development Mailing List" <
>> openstack-dev at lists.openstack.org>
>> >>> Sent: Wednesday, 11 December, 2013 11:23:15 AM
>> >>> Subject: [openstack-dev] [keystone] domain admin role query
>> >>>
>> >>> Hi,
>> >>> I am trying out Keystone V3 APIs and domains.
>> >>> I created an domain, created a project in that domain, created an
>> user in
>> >>> that domain and project.
>> >>> Next, gave an admin role for that user in that domain.
>> >>>
>> >>> I am assuming that user is now admin to that domain.
>> >>> Now, I got a scoped token with that user, domain and project. With
>> that
>> >>> token, I tried to create a new project in that domain. It worked.
>> >>>
>> >>> But, using the same token, I could also create a new project in a
>> 'default'
>> >>> domain too. I expected it should throw authentication error. Is it a
>> bug?
>> >>>
>> >>> Thanks,
>> >>> --
>> >>> Ravi
>> >>>
>> >
>> > One of the issues I had this week while using the
>> policy.v3cloudsample.json was I had no easy way of creating a domain with
>> the id of 'admin_domain_id'.  I basically had to modify the SQL directly to
>> do it.
>> >
>> > Any chance we can create a 2nd domain using 'admin_domain_id' via
>> keystone-manage sync_db?
>> >
>> > --
>> > Paul Belanger | PolyBeacon, Inc.
>> > Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
>> > Github: https://github.com/pabelanger | Twitter:
>> https://twitter.com/pabelanger
>> >
>> > _______________________________________________
>> > OpenStack-dev mailing list
>> > OpenStack-dev at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Ravi
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 

-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131218/024027bd/attachment.html>

More information about the OpenStack-dev mailing list