<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">To expand on Dolph's comments, the restriction in Grizzly is that you can include a domain_id check in your policy file against apis - however, this will only work if the objects in the parameters of the api calls includes the domain_id (so that it can be checked by the policy engine). So for instance you can restrict the creation of users, groups and projects to the domain scope of a user by including a policy rule like:<div><br></div><div><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; position: static; z-index: auto; "><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"><b>"domain_id:%(user.domain_id)s"</b></p></div></div></blockquote></div></div></div></blockquote></div><div>(substitute group or project for user in the above as required). </div><div><br></div><div>The issue is, of course, that this only works for create (since you are passing the object to create), but doesn't work for update or delete. Extending keystone to enable rule definition that checks <i>the object the api will operate on</i> is what we are working on for Havana.</div><div><br></div><div>There is a blueprint for this already : <a href="https://blueprints.launchpad.net/keystone/+spec/policy-on-api-target">https://blueprints.launchpad.net/keystone/+spec/policy-on-api-target</a></div><div><br></div><div>Henry</div><div><br><div><div>On 6 Jun 2013, at 15:42, Dolph Mathews wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr">We're on our way to supporting domain-based role assignments in policy.json, but it's not quite there in grizzly. Related bug:<div><br></div><div> <a href="https://bugs.launchpad.net/keystone/+bug/1187198">https://bugs.launchpad.net/keystone/+bug/1187198</a></div>
<div><div><br></div><div style="">(this should probably be turned into a blueprint)</div><div><br></div>-Dolph</div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 6, 2013 at 9:10 AM, Gaspareto, Otavio <span dir="ltr"><<a href="mailto:otavio.barcelos-gaspareto@hp.com" target="_blank">otavio.barcelos-gaspareto@hp.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; position: static; z-index: auto; ">
<div lang="EN-US" link="blue" vlink="purple">
<div><p class="MsoNormal">Hi Dolph/Guang,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">I’m implementing here a new role, called <i>domain_admin</i>, where the user with this role will be a manager inside his domain. For this, I’ve created this entry into the policy.json file:
<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><b>"domain_admin_required" : [["role:domain_admin", "domain_id:%(domain_id)s"]],<u></u><u></u></b></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Testing some services marked with this rule, and using an user that is a
<i>domain_admin</i> I could perform operations in other domains, like create project.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">So, my question: this rule <b>"domain_id:%(domain_id)s" </b>
shouldn’t<b> </b>block operations on domains different from mine?<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Another info, I’m using domain scoped authentication.<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal">Thanks,<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p><p class="MsoNormal"><b><span style="font-family:"Arial","sans-serif"">Otavio Gaspareto<br>
</span></b><span style="font-family:"Arial","sans-serif";color:#717172">Software Designer<br>
<br>
<a href="mailto:otavio.gaspareto@hp.com" target="_blank"><span style="color:#717172;text-decoration:none">otavio.gaspareto@hp.com</span></a><br>
T <a href="tel:%2B55%2051%202121%203832" value="+555121213832" target="_blank">+55 51 2121 3832</a><br>
Hewlett-Packard Company<br>
6681 Ipiranga Ave.<br>
Porto Alegre, RS, 90619-900<br>
Brazil<br>
<br>
</span><a href="http://www.hp.com/" target="_blank"><span style="font-family:"Arial","sans-serif";color:#717172;text-decoration:none"><span><image001.png></span></span></a><span style="font-family:"Arial","sans-serif";color:#717172"><br>
<br>
Please print thoughtfully</span><u></u><u></u></p>
</div>
</div>
</blockquote></div><br></div></div>
_______________________________________________<br>OpenStack-dev mailing list<br><a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev<br></blockquote></div><br></div></body></html>