<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>You have to make changes to the policy.json. I had to debug and create new roles etc on my env since the admin for the project x can only manage domain x and not been able to see anything else. </div><div id="AppleMailSignature"><br></div><div id="AppleMailSignature">Remo<br><br>Inviato da iPhone</div><div><br>Il giorno 29 mag 2017, alle ore 08:09, Volodymyr Litovka <<a href="mailto:doka.ua@gmx.com">doka.ua@gmx.com</a>> ha scritto:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p><font face="SFNS Display">Hi friends,</font></p>
is there way to define domain's admin and restrict this person to
access only his domain?<br>
<br>
At the moment (Ocata release), if I :<br>
- create domain by '<u>openstack domain create devtest</u><br>
- create user in the domain by '<u>openstack user create udevtest
--domain devtest --password xxxxxx</u><br>
- create project in the domain by '<u>openstack project create
devmin --domain devtest</u><br>
- assign role 'admin' to the user on both the domain and the
project:<br>
* <u>openstack role add admin --user udevtest --domain devtest</u><br>
* <u>openstack role add admin --project-domain devtest --project
devmin --user udevtest</u><br>
<br>
then, using user's 'udevtest' credentials:<br>
<br>
OS_REGION_NAME=RegionOne<br>
OS_DEFAULT_DOMAIN=devtest<br>
OS_USER_DOMAIN_NAME=devtest<br>
OS_PROJECT_DOMAIN_NAME=devtest<br>
OS_PROJECT_NAME=devmin<br>
OS_USERNAME=udevtest<br>
OS_PASSWORD=xxxxxxxxx<br>
<br>
OS_AUTH_STRATEGY=keystone<br>
OS_IDENTITY_API_VERSION=3<br>
OS_AUTH_URL=<a class="moz-txt-link-freetext" href="http://controller:5000/v3">http://controller:5000/v3</a><br>
OS_INTERFACE=internal<br>
<br>
I'm able to get a list of all users and projects in 'default' domain
and even more - add / delete users and projects in 'default' domain.<br>
<br>
In fact, user 'udevtest' has nothing to domain 'default', but
assigned global role 'admin' - probably, that is the problem,
because policy.json's rule 'admin_required' is just check for
'role:admin', which is true. On the other hand, if I create role
'admin' specific to domain 'devtest' and assign it to user on both
domain and project in the domain, then I get error "<b>User
f1c1cd3438c24255a2baa85f326dfc40 </b>(which is udevtest)<b> has
no access to project 1dbbaf2fb0bc4d5da270e48d4a92bc62</b> (which
is devmin)", so seems local roles doesn't matter.<br>
<br>
Is the only way (I hope it's legacy way :-) ) to change policy.json
(as some pages on Internet were suggesting) or I'm doing something
wrong?<br>
<br>
Thank you!<br>
<br>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
</pre>
!DSPAM:1,592c3c0850931589493451!
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br><span>Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a></span><br><span>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br><span></span><br><span>!DSPAM:1,592c3c0850931589493451!</span><br></div></blockquote></body></html>