Hello openstack community,
I am currently working on an OpenStack kolla ansible 2023.1. I have created a custom role " owner "
Objective:
- Users with the
owner
role can only list users within their project.
- Avoid additional API calls for filtering users by project.
Current Challenge:
Using direct API calls, the list users
API currently returns all users without any project-specific filtering. While additional API calls to the role_assignments
endpoint can achieve the desired filtering, this approach is not efficient and doesn't restrict access at the API level.
I am considering defining custom Keystone policies to achieve this restriction. However, I am unsure how to properly configure these policies to enforce project-specific access control effectively.
Thanks in advance