[openstack-dev] [keystone] domain admin role query

Ravi Chunduru ravivsn at gmail.com
Wed Dec 18 20:05:15 UTC 2013


Hi Dolph,
  I dont have project yet to use in the scope. The intention is to get a
token using domain admin credentials and create project using it.

Thanks,
-Ravi.


On Wed, Dec 18, 2013 at 11:39 AM, Dolph Mathews <dolph.mathews at gmail.com>wrote:

>
> On Wed, Dec 18, 2013 at 12:48 PM, Ravi Chunduru <ravivsn at gmail.com> wrote:
>
>> Thanks all for the information.
>> I have now v3 policies in place, the issue is that as a domain admin I
>> could not create a project in the domain. I get 403 unauthorized status.
>>
>> I see that when as a  'domain admin' request a token, the response did
>> not have any roles.  In the token request, I couldnt specify the project -
>> as we are about to create the project in next step.
>>
>
> Specify a domain as the "scope" to obtain domain-level authorization in
> the resulting token.
>
> See the third example under Scope:
>
>
> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#scope-scope
>
>
>>
>> Here is the complete request/response of all the steps done.
>> https://gist.github.com/kumarcv/8015275
>>
>> I am assuming its a bug. Please let me know your opinions.
>>
>> Thanks,
>> -Ravi.
>>
>>
>>
>>
>> On Thu, Dec 12, 2013 at 3:00 PM, Henry Nash <henryn at linux.vnet.ibm.com>wrote:
>>
>>> Hi
>>>
>>> So the idea wasn't the you create a domain with the id of
>>> 'domain_admin_id', rather that you create the domain that you plan to use
>>> for your admin domain, and then paste its (auto-generated) domain_id into
>>> the policy file.
>>>
>>> Henry
>>> On 12 Dec 2013, at 03:11, Paul Belanger <paul.belanger at polybeacon.com>
>>> wrote:
>>>
>>> > On 13-12-11 11:18 AM, Lyle, David wrote:
>>> >> +1 on moving the domain admin role rules to the default policy.json
>>> >>
>>> >> -David Lyle
>>> >>
>>> >> From: Dolph Mathews [mailto:dolph.mathews at gmail.com]
>>> >> Sent: Wednesday, December 11, 2013 9:04 AM
>>> >> To: OpenStack Development Mailing List (not for usage questions)
>>> >> Subject: Re: [openstack-dev] [keystone] domain admin role query
>>> >>
>>> >>
>>> >> On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <
>>> jamielennox at redhat.com> wrote:
>>> >> Using the default policies it will simply check for the admin role
>>> and not care about the domain that admin is limited to. This is partially a
>>> left over from the V2 api when there wasn't domains to worry > about.
>>> >>
>>> >> A better example of policies are in the file
>>> etc/policy.v3cloudsample.json. In there you will see the rule for
>>> create_project is:
>>> >>
>>> >>   "identity:create_project": "rule:admin_required and
>>> domain_id:%(project.domain_id)s",
>>> >>
>>> >> as opposed to (in policy.json):
>>> >>
>>> >>   "identity:create_project": "rule:admin_required",
>>> >>
>>> >> This is what you are looking for to scope the admin role to a domain.
>>> >>
>>> >> We need to start moving the rules from policy.v3cloudsample.json to
>>> the default policy.json =)
>>> >>
>>> >>
>>> >> Jamie
>>> >>
>>> >> ----- Original Message -----
>>> >>> From: "Ravi Chunduru" <ravivsn at gmail.com>
>>> >>> To: "OpenStack Development Mailing List" <
>>> openstack-dev at lists.openstack.org>
>>> >>> Sent: Wednesday, 11 December, 2013 11:23:15 AM
>>> >>> Subject: [openstack-dev] [keystone] domain admin role query
>>> >>>
>>> >>> Hi,
>>> >>> I am trying out Keystone V3 APIs and domains.
>>> >>> I created an domain, created a project in that domain, created an
>>> user in
>>> >>> that domain and project.
>>> >>> Next, gave an admin role for that user in that domain.
>>> >>>
>>> >>> I am assuming that user is now admin to that domain.
>>> >>> Now, I got a scoped token with that user, domain and project. With
>>> that
>>> >>> token, I tried to create a new project in that domain. It worked.
>>> >>>
>>> >>> But, using the same token, I could also create a new project in a
>>> 'default'
>>> >>> domain too. I expected it should throw authentication error. Is it a
>>> bug?
>>> >>>
>>> >>> Thanks,
>>> >>> --
>>> >>> Ravi
>>> >>>
>>> >
>>> > One of the issues I had this week while using the
>>> policy.v3cloudsample.json was I had no easy way of creating a domain with
>>> the id of 'admin_domain_id'.  I basically had to modify the SQL directly to
>>> do it.
>>> >
>>> > Any chance we can create a 2nd domain using 'admin_domain_id' via
>>> keystone-manage sync_db?
>>> >
>>> > --
>>> > Paul Belanger | PolyBeacon, Inc.
>>> > Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
>>> > Github: https://github.com/pabelanger | Twitter:
>>> https://twitter.com/pabelanger
>>> >
>>> > _______________________________________________
>>> > OpenStack-dev mailing list
>>> > OpenStack-dev at lists.openstack.org
>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>> >
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>> Ravi
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
>
> -Dolph
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Ravi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131218/5b884505/attachment.html>


More information about the OpenStack-dev mailing list