[openstack-dev] Mitaka: Identity V3 status and observations using domains

Nick Papadonis npapadonis at gmail.com
Fri Aug 19 19:19:41 UTC 2016

Hi Folks,

I'm playing with IDv3 in Mitaka and it doesn't seem to work as I'd expect.
Hopefully I'm understanding the way domains work.  The strategy is to
create a top level cloud_admin_dom and super user.  Then create a default
domain and admin user and default project and admin user.  Then create
another dom_0001 to test projects in a different domain.

The cloud_admin user works fine and appears to have privileges to do most
things.  Now, when I use the default domain admin user or default domain
default project admin user, I either get authentication issues from
Keystone or the policy json isn't allowing the default domain admin (not in
a project) to do things like list projects or users.  It appears folks have
used this a few different ways and appreciate insight from your experience.

As I understand the process (please correct me) is:

function get_id () {
    echo `"$@" | grep ' id ' | awk '{print $4}'`

# Create admin role
admin_role_id=$(get_id openstack role create admin)

# Create Cloud Admin Domain
cloud_admin_dom_id=$(get_id openstack domain create \
        --description "Cloud Admin Domain" cloud_admin_dom)

# Update policy for domain ID
cat /etc/keystone/policy.v3cloudsample.json | \
    sed -e "s/admin_domain_id/${cloud_admin_dom_id}/g" >

# Create admin user for cloud admin domain
cloud_admin_user_id=$(get_id openstack user create \
        --password secrete \
        --domain "${cloud_admin_dom_id}" \
        --description "Cloud Admin Domain Admin" \

# Assign admin role to admin user
openstack role add --domain "${cloud_admin_dom_id}" \
                   --user "${cloud_admin_user_id}" \

# Create default domain (for legacy services)
def_dom_id=$(get_id openstack domain create \
            --description "Default Domain" default)

# Create admin user for default domain
def_user_id=$(get_id openstack user create \
            --password secrete \
            --domain "${def_dom_id}" \
            --description "Default Domain Admin" \

# Assign admin role to admin user
openstack role add --domain "${def_dom_id}" \
                   --user "${def_user_id}" \
                   --inherited \

# Create default project in default domain (for legacy services)
project_id=$(get_id openstack project create "${DEFAULT_PROJECT}" \
    --description "Default Project" --domain "${cloud_admin_dom_id}"

# Create admin user for default project in default domain
user_id=$(get_id openstack user create admin_dom_default_proj_default \
    --project "${project_id}" \
    --password secrete \
    --domain "${def_dom_id}")

# Assign admin role to admin user in default domain and default project
openstack role add --project "${project_id}" \
                   --user "${user_id}" \
                   --inherited \

# Create service role
service_role_id=$(get_id openstack role create service)

# Create service project in default domain
project_id=$(get_id openstack project create service \
    --description "Service Tenant" --domain "${def_dom_id}" --enable)

# Create service project admin in default domain
user_id=$(get_id openstack user create admin_default_dom_proj_service \
    --project "${project_id}" \
    --password secrete \
    --domain "${def_dom_id}")

# Assign admin role to admin user in service project
openstack role add --domain "${def_dom_id}" \
                   --user "${user_id}" \
                   --inherited \

# First other Domain - dom_0001
dom_id=$(get_id openstack domain create \
            --description "Default Domain" dom_0001

# Create admin user for dom_0001
user_id=$(get_id openstack user create \
            --password secrete \
            --domain "${dom_id}" \
            --description "dom_0001 Admin" \

# Assign admin role to admin_dom_0001 in domain dom_0001
openstack role add --domain "${dom_id}" \
                   --user "${user_id}" \
                   --user-domain "${dom_id}" \
                   --inherited \


Also note, when adding:
#--project-domain "${cloud_admin_dom_id}" \
 #--user-domain "${def_dom_id}" \

to openstack role add, I'm finding that OSC complains the user ID doesn't
exist in that specified domain, when OSC user list --log shows it does. Odd

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160819/1fbfd075/attachment.html>

More information about the OpenStack-dev mailing list