Open Stack

You have to make changes to the policy.json. I had to debug and create new roles etc on my env since the admin for the project x can only manage domain x and not been able to see anything else. 

Remo

Inviato da iPhone

> Il giorno 29 mag 2017, alle ore 08:09, Volodymyr Litovka <doka.ua at gmx.com> ha scritto:
> 
> Hi friends,
> 
> is there way to define domain's admin and restrict this person to access only his domain?
> 
> At the moment (Ocata release), if I :
> - create domain by 'openstack domain create devtest
> - create user in the domain by 'openstack user create udevtest --domain devtest --password xxxxxx
> - create project in the domain by 'openstack project create devmin --domain devtest
> - assign role 'admin' to the user on both the domain and the project:
> * openstack role add admin --user udevtest --domain devtest
> * openstack role add admin --project-domain devtest --project devmin --user udevtest
> 
> then, using user's 'udevtest' credentials:
> 
> OS_REGION_NAME=RegionOne
> OS_DEFAULT_DOMAIN=devtest
> OS_USER_DOMAIN_NAME=devtest
> OS_PROJECT_DOMAIN_NAME=devtest
> OS_PROJECT_NAME=devmin
> OS_USERNAME=udevtest
> OS_PASSWORD=xxxxxxxxx
> 
> OS_AUTH_STRATEGY=keystone
> OS_IDENTITY_API_VERSION=3
> OS_AUTH_URL=http://controller:5000/v3
> OS_INTERFACE=internal
> 
> I'm able to get a list of all users and projects in 'default' domain and even more - add / delete users and projects in 'default' domain.
> 
> In fact, user 'udevtest' has nothing to domain 'default', but assigned global role 'admin' - probably, that is the problem, because policy.json's rule 'admin_required' is just check for 'role:admin', which is true. On the other hand, if I create role 'admin' specific to domain 'devtest' and assign it to user on both domain and project in the domain, then I get error "User f1c1cd3438c24255a2baa85f326dfc40 (which is udevtest) has no access to project 1dbbaf2fb0bc4d5da270e48d4a92bc62 (which     is devmin)", so seems local roles doesn't matter.
> 
> Is the only way (I hope it's legacy way :-) ) to change policy.json (as some pages on Internet were suggesting) or I'm doing something wrong?
> 
> Thank you!
> 
> -- 
> Volodymyr Litovka
>   "Vision without Execution is Hallucination." -- Thomas Edison
> !DSPAM:1,592c3c0850931589493451!
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> !DSPAM:1,592c3c0850931589493451!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170529/6b59c566/attachment.html>