<div dir="ltr"><span style="font-size:13px">Note that I'm creating all of this using the OS_TOKEN instead of going through the API. I wonder if that is causing the issue?</span><br><div><span style="font-size:13px"><br></span></div><div><span style="font-size:13px">So far, my suspicions are that IDv3 with domains isn't fully baked in the Mitaka bits.</span></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Aug 19, 2016 at 3:19 PM, Nick Papadonis <span dir="ltr"><<a href="mailto:npapadonis@gmail.com" target="_blank">npapadonis@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="font-size:13px">Hi Folks,</span><div style="font-size:13px"><br></div><div style="font-size:13px">I'm playing with IDv3 in Mitaka and it doesn't seem to work as I'd expect. Hopefully I'm understanding the way domains work. The strategy is to create a top level cloud_admin_dom and super user. Then create a default domain and admin user and default project and admin user. Then create another dom_0001 to test projects in a different domain.</div><div style="font-size:13px"><br></div><div style="font-size:13px">The cloud_admin user works fine and appears to have privileges to do most things. Now, when I use the default domain admin user or default domain default project admin user, I either get authentication issues from Keystone or the policy json isn't allowing the default domain admin (not in a project) to do things like list projects or users. It appears folks have used this a few different ways and appreciate insight from your experience.</div><div style="font-size:13px"><br></div><div style="font-size:13px">As I understand the process (please correct me) is:</div><div style="font-size:13px"><br></div><div style="font-size:13px"><div>function get_id () {</div><div> echo `"$@" | grep ' id ' | awk '{print $4}'`</div><div>}</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Create admin role</div><div style="font-size:13px">admin_role_id=$(get_id openstack role create admin)</div><div style="font-size:13px"><br></div><div style="font-size:13px"># Create Cloud Admin Domain</div><div style="font-size:13px"><div>cloud_admin_dom_id=$(get_id openstack domain create \</div><div> --description "Cloud Admin Domain" cloud_admin_dom)</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Update policy for domain ID</div><div style="font-size:13px"><div>cat /etc/keystone/policy.v3cloudsa<wbr>mple.json | \</div><div> sed -e "s/admin_domain_id/${cloud_adm<wbr>in_dom_id}/g" > /etc/keystone/policy.json</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Create admin user for cloud admin domain</div><div style="font-size:13px"><div>cloud_admin_user_id=$(get_id openstack user create \</div><div> --password secrete \</div><div> --domain "${cloud_admin_dom_id}" \</div><div> --description "Cloud Admin Domain Admin" \</div><div> admin_cloud_admin_dom)</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Assign admin role to admin user</div><div style="font-size:13px"><div>openstack role add --domain "${cloud_admin_dom_id}" \</div><div> --user "${cloud_admin_user_id}" \</div><div> "${admin_role_id}"</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Create default domain (for legacy services)</div><div style="font-size:13px"><div>def_dom_id=$(get_id openstack domain create \</div><div> --description "Default Domain" default)</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Create admin user for default domain</div><div style="font-size:13px"><div>def_user_id=$(get_id openstack user create \</div><div> --password secrete \</div><div> --domain "${def_dom_id}" \</div><div> --description "Default Domain Admin" \</div><div> admin_default_dom)</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Assign admin role to admin user</div><div style="font-size:13px"><div>openstack role add --domain "${def_dom_id}" \</div><div> --user "${def_user_id}" \</div><div> --inherited \</div><div> "${admin_role_id}"</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Create default project in default domain (for legacy services)</div><div style="font-size:13px"><div>project_id=$(get_id openstack project create "${DEFAULT_PROJECT}" \</div><div> --description "Default Project" --domain "${cloud_admin_dom_id}" --enable)</div><div><br></div><div># Create admin user for default project in default domain</div><div>user_id=$(get_id openstack user create admin_dom_default_proj_default \</div><div> --project "${project_id}" \</div><div> --password secrete \</div><div> --domain "${def_dom_id}")</div><div><br></div><div># Assign admin role to admin user in default domain and default project</div><div>openstack role add --project "${project_id}" \</div><div> --user "${user_id}" \</div><div> --inherited \</div><div> "${admin_role_id}"</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Create service role</div><div style="font-size:13px">service_role_id=$(get_id openstack role create service)<br></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Create service project in default domain</div><div style="font-size:13px"><div>project_id=$(get_id openstack project create service \</div><div> --description "Service Tenant" --domain "${def_dom_id}" --enable)</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Create service project admin in default domain</div><div style="font-size:13px"><div>user_id=$(get_id openstack user create admin_default_dom_proj_service \</div><div> --project "${project_id}" \</div><div> --password secrete \</div><div> --domain "${def_dom_id}")</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Assign admin role to admin user in service project</div><div style="font-size:13px"><div>openstack role add --domain "${def_dom_id}" \</div><div> --user "${user_id}" \</div><div> --inherited \</div><div> "${admin_role_id}"</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"><div># First other Domain - dom_0001</div><div>dom_id=$(get_id openstack domain create \</div><div> --description "Default Domain" dom_0001</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Create admin user for dom_0001</div><div style="font-size:13px"><div>user_id=$(get_id openstack user create \</div><div> --password secrete \</div><div> --domain "${dom_id}" \</div><div> --description "dom_0001 Admin" \</div><div> admin_dom_0001)</div></div><div style="font-size:13px"><br></div><div style="font-size:13px"># Assign admin role to admin_dom_0001 in domain dom_0001</div><div style="font-size:13px"><div>openstack role add --domain "${dom_id}" \</div><div> --user "${user_id}" \</div><div> --user-domain "${dom_id}" \</div><div> --inherited \</div><div> "${admin_role_id}"</div></div><div style="font-size:13px"><br></div><div style="font-size:13px">==</div><div style="font-size:13px"><br></div><div style="font-size:13px">Also note, when adding:<div><div>#--project-domain "${cloud_admin_dom_id}" \</div><div> #--user-domain "${def_dom_id}" \</div></div><div><br></div><div>to openstack role add, I'm finding that OSC complains the user ID doesn't exist in that specified domain, when OSC user list --log shows it does. Odd</div></div><div style="font-size:13px"><br></div><div style="font-size:13px">Thanks,</div><div style="font-size:13px">Nick </div></div>
</blockquote></div><br></div>