[openstack-dev] [keystone] domain admin role query

Henry Nash henryn at linux.vnet.ibm.com
Thu Dec 12 23:00:01 UTC 2013


Hi

So the idea wasn't the you create a domain with the id of 'domain_admin_id', rather that you create the domain that you plan to use for your admin domain, and then paste its (auto-generated) domain_id into the policy file.

Henry
On 12 Dec 2013, at 03:11, Paul Belanger <paul.belanger at polybeacon.com> wrote:

> On 13-12-11 11:18 AM, Lyle, David wrote:
>> +1 on moving the domain admin role rules to the default policy.json
>> 
>> -David Lyle
>> 
>> From: Dolph Mathews [mailto:dolph.mathews at gmail.com]
>> Sent: Wednesday, December 11, 2013 9:04 AM
>> To: OpenStack Development Mailing List (not for usage questions)
>> Subject: Re: [openstack-dev] [keystone] domain admin role query
>> 
>> 
>> On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <jamielennox at redhat.com> wrote:
>> Using the default policies it will simply check for the admin role and not care about the domain that admin is limited to. This is partially a left over from the V2 api when there wasn't domains to worry > about.
>> 
>> A better example of policies are in the file etc/policy.v3cloudsample.json. In there you will see the rule for create_project is:
>> 
>>   "identity:create_project": "rule:admin_required and domain_id:%(project.domain_id)s",
>> 
>> as opposed to (in policy.json):
>> 
>>   "identity:create_project": "rule:admin_required",
>> 
>> This is what you are looking for to scope the admin role to a domain.
>> 
>> We need to start moving the rules from policy.v3cloudsample.json to the default policy.json =)
>> 
>> 
>> Jamie
>> 
>> ----- Original Message -----
>>> From: "Ravi Chunduru" <ravivsn at gmail.com>
>>> To: "OpenStack Development Mailing List" <openstack-dev at lists.openstack.org>
>>> Sent: Wednesday, 11 December, 2013 11:23:15 AM
>>> Subject: [openstack-dev] [keystone] domain admin role query
>>> 
>>> Hi,
>>> I am trying out Keystone V3 APIs and domains.
>>> I created an domain, created a project in that domain, created an user in
>>> that domain and project.
>>> Next, gave an admin role for that user in that domain.
>>> 
>>> I am assuming that user is now admin to that domain.
>>> Now, I got a scoped token with that user, domain and project. With that
>>> token, I tried to create a new project in that domain. It worked.
>>> 
>>> But, using the same token, I could also create a new project in a 'default'
>>> domain too. I expected it should throw authentication error. Is it a bug?
>>> 
>>> Thanks,
>>> --
>>> Ravi
>>> 
> 
> One of the issues I had this week while using the policy.v3cloudsample.json was I had no easy way of creating a domain with the id of 'admin_domain_id'.  I basically had to modify the SQL directly to do it.
> 
> Any chance we can create a 2nd domain using 'admin_domain_id' via keystone-manage sync_db?
> 
> -- 
> Paul Belanger | PolyBeacon, Inc.
> Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
> Github: https://github.com/pabelanger | Twitter: https://twitter.com/pabelanger
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131212/e5170e17/attachment.pgp>


More information about the OpenStack-dev mailing list