[Openstack] Projects deals tricky job
Eugen Block
eblock at nde.ag
Mon Jun 27 14:20:19 UTC 2016
Thanks for the information, I'll definitely get to it. But right now
I'm having some trouble with domain_id in the keystone_policy.json. I
believe I'm also affected by this bug
https://bugs.launchpad.net/python-openstackclient/+bug/1538804
I switched to the stable/liberty policy.v3cloudsample.json because the
value for "token.is_admin_project:True or domain_id:admin_domain_id"
lead to errors in authentication. Using "rule:admin_required and
domain_id:default" works if I use Horizon (I see the output in
keystone.log), but it fails to authenticate while using CLI because
for some reason "domain_id" is never read by the client.
As a workaround I changed the rule to
"cloud_admin": "rule:admin_required and (domain_id:default or
user_domain_id:default)"
that seems to work fine, and I already tried it with user_id instead
of domain_id, but I can't predict the consequences. What is the
recommendation here until the CLI client will be able to read domain_id?
Regards,
Eugen
Zitat von Timothy Symanczyk <Timothy_Symanczyk at symantec.com>:
> We implemented something here at Symantec that sounds very similar to what
> you¹re both talking about. We have three levels of Admin - Cloud, Domain,
> and Project. If you¹re interested in checking it out, we actually
> presented on this topic in Austin.
>
> The presentation : https://www.youtube.com/watch?v=v79kNddKbLc
>
> All the referenced files can be found in our github here :
> https://github.com/Symantec/Openstack_RBAC
>
> Specifically you may want to check out our keystone policy file that
> defines cloud_admin domain_admin and project_admin :
> https://github.com/Symantec/Openstack_RBAC/blob/master/keystone/policy.json
>
> Tim
>
> On 6/20/16, 5:17 AM, "Eugen Block" <eblock at nde.ag> wrote:
>
>> I believe you are trying to accomplish the same configuration as I do,
>> so I think domains are the answer. You can devide your cloud into
>> different domains and grant admin rights to specific users, which are
>> not authorized to see the other domains. Although I'm still not sure
>> if I did it correctly and it's not fully resolved yet, here is a
>> thread I started a few days ago:
>>
>> http://lists.openstack.org/pipermail/openstack/2016-June/016454.html
>>
>> Regards,
>> Eugen
>>
>> Zitat von Venkatesh Kotipalli <openstackvenkatesh at gmail.com>:
>>
>>> Hi Folks,
>>>
>>> Is it possible to create a project admin in openstack.
>>>
>>> As we identified when ever we created a project admin it will show
>>> entire
>>> cloud (Like : other users and all services completely admin access).
>>> but i
>>> want to see the particular project users,admins and control all the
>>> services.
>>>
>>> Guys please help me this part. I am really very confused.
>>>
>>> Regards,
>>> Venkatesh.k
>>
>>
>>
>> --
>> Eugen Block voice : +49-40-559 51 75
>> NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
>> Postfach 61 03 15
>> D-22423 Hamburg e-mail : eblock at nde.ag
>>
>> Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>> Sitz und Registergericht: Hamburg, HRB 90934
>> Vorstand: Jens-U. Mozdzen
>> USt-IdNr. DE 814 013 983
>>
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to : openstack at lists.openstack.org
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock at nde.ag
Vorsitzende des Aufsichtsrates: Angelika Mozdzen
Sitz und Registergericht: Hamburg, HRB 90934
Vorstand: Jens-U. Mozdzen
USt-IdNr. DE 814 013 983
More information about the Openstack
mailing list