<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <span dir="ltr"><<a href="mailto:jamielennox@redhat.com" target="_blank">jamielennox@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Using the default policies it will simply check for the admin role and not care about the domain that admin is limited to. This is partially a left over from the V2 api when there wasn't domains to worry about.<br>
<br>
A better example of policies are in the file etc/policy.v3cloudsample.json. In there you will see the rule for create_project is:<br>
<br>
"identity:create_project": "rule:admin_required and domain_id:%(project.domain_id)s",<br>
<br>
as opposed to (in policy.json):<br>
<br>
"identity:create_project": "rule:admin_required",<br>
<br>
This is what you are looking for to scope the admin role to a domain.<br>
<br></blockquote><div><br></div><div>We need to start moving the rules from policy.v3cloudsample.json to the default policy.json =)</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Jamie<br>
<div><div class="h5"><br>
----- Original Message -----<br>
> From: "Ravi Chunduru" <<a href="mailto:ravivsn@gmail.com">ravivsn@gmail.com</a>><br>
> To: "OpenStack Development Mailing List" <<a href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
> Sent: Wednesday, 11 December, 2013 11:23:15 AM<br>
> Subject: [openstack-dev] [keystone] domain admin role query<br>
><br>
> Hi,<br>
> I am trying out Keystone V3 APIs and domains.<br>
> I created an domain, created a project in that domain, created an user in<br>
> that domain and project.<br>
> Next, gave an admin role for that user in that domain.<br>
><br>
> I am assuming that user is now admin to that domain.<br>
> Now, I got a scoped token with that user, domain and project. With that<br>
> token, I tried to create a new project in that domain. It worked.<br>
><br>
> But, using the same token, I could also create a new project in a 'default'<br>
> domain too. I expected it should throw authentication error. Is it a bug?<br>
><br>
> Thanks,<br>
> --<br>
> Ravi<br>
><br>
</div></div>> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div>-Dolph
</div></div>