Open Stack

Hi everyone,

Thanks for helping me. I did wrong filter of my mailing, so I missed the
topic. Thanks for Farhan forward the email to me.

Thanks *Dolph Mathews, you gave the point. Binggo!!! I didn't assign the
admin user to default domain. **I didn't have this problem when I worked
with icehouse version, I guess it didn't check the domain scope for admin
user back then. **After I assigned admin to default domain, it all works
correct now.  Thanks a lot. *

*Thanks **Lin Hua Cheng, yes, the problem is I missed the domain scope
token for admin user.*

*To **Rich Megginson: I am using the v3 sample policy file, which is *
https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.v3cloudsample.json
For any change in policy file, you don't need to restart the service. You
only restart the service when you change the code in the server.

Thanks for all.

Amy Zhang

On Fri, Jun 5, 2015 at 3:17 PM, Farhan Patwa <farhan.patwa at gmail.com> wrote:

>
> Forwarded conversation
> Subject: [openstack-dev] Kilo v3 identity problems
> ------------------------
>
> From: *Amy Zhang* <amy.u.zhang at gmail.com>
> Date: Wed, Jun 3, 2015 at 11:29 AM
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
>
>
> Hi guys,
>
> I have installed Kilo and try to use identity v3. I am using v3 policy
> file. I changed the domain_id for cloud admin as "default". As cloud admin,
> I tried "openstack domain list" and got the error message saying that I was
> not authorized.
>
> The part I changed in policy.json:
>
> "cloud_admin": "rule:admin_required and domain_id:default",
>
>
> The error I got from "openstack domain list":
>
> ERROR: openstack You are not authorized to perform the requested action:
> identity:create_domain (Disable debug mode to suppress these details.)
> (HTTP 403) (Request-ID: req-2f42b1da-9933-4494-9b39-c1664d154377)
>
> Has anyone tried identity v3 in Kilo? Did you have this problem? Any
> suggestions?
>
> Thanks
> Amy
> --
> Best regards,
> Amy (Yun Zhang)
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> ----------
> From: *Rich Megginson* <rmeggins at redhat.com>
> Date: Wed, Jun 3, 2015 at 11:52 AM
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
>
>
>  Can you paste your policy file somewhere?  Did you restart the keystone
> service after changing your policy?  Can you provide your exactly openstack
> command line arguments and/or the rc file you sourced into your shell
> environment before running openstack?
>
>
>  Thanks
> Amy
> --
> Best regards,
> Amy (Yun Zhang)
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> ----------
> From: *Lin Hua Cheng* <os.lcheng at gmail.com>
> Date: Wed, Jun 3, 2015 at 1:00 PM
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
>
>
> The command requires a domain scoped token.
>
> Did you set the environment variable so that OSC uses a domain scoped
> token? This can be done by providing OS_DOMAIN_NAME instead of
> OS_PROJECT_NAME.
>
> -Lin
>
> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> ----------
> From: *Dolph Mathews* <dolph.mathews at gmail.com>
> Date: Wed, Jun 3, 2015 at 1:16 PM
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
>
>
> I assume that by "v3 policy file" you're specifically referring to:
>
>
> https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.v3cloudsample.json
>
> Which essentially illustrates enforcement of a much more powerful
> authorization model than most deployers are familiar with today. You'll
> need to create and consume a domain-based role assignment, for example (do
> you have a role assigned to your user on the "default" domain? Are you
> accessing "openstack domain list" with a domain-scoped token?).
>
> Unless you're ready to experiment with that new policy model, the default
> policy file is also designed for v3 and it's behavior is probably what
> you're expecting:
>
>
> https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.json
>
> Perhaps "policy.v3cloudsample.json" is poorly named if it implies that
> it's somehow a pre-requisite to getting started with the v3 API?
>
> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> ----------
> From: *Steve Martinelli* <stevemar at ca.ibm.com>
> Date: Wed, Jun 3, 2015 at 2:20 PM
> To: "OpenStack Development Mailing List (not for usage questions)" <
> openstack-dev at lists.openstack.org>
>
>
> Dolph Mathews <dolph.mathews at gmail.com> wrote on 06/03/2015 02:16:55 PM:
>
> > From: Dolph Mathews <dolph.mathews at gmail.com>
> > To: "OpenStack Development Mailing List (not for usage questions)"
> > <openstack-dev at lists.openstack.org>
> > Date: 06/03/2015 02:17 PM
> > Subject: Re: [openstack-dev] Kilo v3 identity problems
> >
> > I assume that by "v3 policy file" you're specifically referring to:
> >
> >   https://github.com/openstack/keystone/blob/
> > f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.v3cloudsample.json
> >
> > Which essentially illustrates enforcement of a much more powerful
> > authorization model than most deployers are familiar with today.
> > You'll need to create and consume a domain-based role assignment,
> > for example (do you have a role assigned to your user on the
> > "default" domain? Are you accessing "openstack domain list" with a
> > domain-scoped token?).
> >
> > Unless you're ready to experiment with that new policy model, the
> > default policy file is also designed for v3 and it's behavior is
> > probably what you're expecting:
> >
> >   https://github.com/openstack/keystone/blob/
> > f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.json
> >
> > Perhaps "policy.v3cloudsample.json" is poorly named if it implies
> > that it's somehow a pre-requisite to getting started with the v3 API?
>
> ++ I think so, I've had to field many questions and comments about folks
> using this file when they
> really just need the "usual" one.
>
> Steve Martinelli
> OpenStack Keystone Core
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>


-- 
Best regards,
Amy (Yun Zhang)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150605/4f559b31/attachment.html>