[openstack-dev] [keystone] domain admin role query
Ravi Chunduru
ravivsn at gmail.com
Wed Dec 18 20:10:15 UTC 2013
Thanks Dolph,
It worked now. I specified domain id in the scope.
-Ravi.
On Wed, Dec 18, 2013 at 12:05 PM, Ravi Chunduru <ravivsn at gmail.com> wrote:
> Hi Dolph,
> I dont have project yet to use in the scope. The intention is to get a
> token using domain admin credentials and create project using it.
>
> Thanks,
> -Ravi.
>
>
> On Wed, Dec 18, 2013 at 11:39 AM, Dolph Mathews <dolph.mathews at gmail.com>wrote:
>
>>
>> On Wed, Dec 18, 2013 at 12:48 PM, Ravi Chunduru <ravivsn at gmail.com>wrote:
>>
>>> Thanks all for the information.
>>> I have now v3 policies in place, the issue is that as a domain admin I
>>> could not create a project in the domain. I get 403 unauthorized status.
>>>
>>> I see that when as a 'domain admin' request a token, the response did
>>> not have any roles. In the token request, I couldnt specify the project -
>>> as we are about to create the project in next step.
>>>
>>
>> Specify a domain as the "scope" to obtain domain-level authorization in
>> the resulting token.
>>
>> See the third example under Scope:
>>
>>
>> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#scope-scope
>>
>>
>>>
>>> Here is the complete request/response of all the steps done.
>>> https://gist.github.com/kumarcv/8015275
>>>
>>> I am assuming its a bug. Please let me know your opinions.
>>>
>>> Thanks,
>>> -Ravi.
>>>
>>>
>>>
>>>
>>> On Thu, Dec 12, 2013 at 3:00 PM, Henry Nash <henryn at linux.vnet.ibm.com>wrote:
>>>
>>>> Hi
>>>>
>>>> So the idea wasn't the you create a domain with the id of
>>>> 'domain_admin_id', rather that you create the domain that you plan to use
>>>> for your admin domain, and then paste its (auto-generated) domain_id into
>>>> the policy file.
>>>>
>>>> Henry
>>>> On 12 Dec 2013, at 03:11, Paul Belanger <paul.belanger at polybeacon.com>
>>>> wrote:
>>>>
>>>> > On 13-12-11 11:18 AM, Lyle, David wrote:
>>>> >> +1 on moving the domain admin role rules to the default policy.json
>>>> >>
>>>> >> -David Lyle
>>>> >>
>>>> >> From: Dolph Mathews [mailto:dolph.mathews at gmail.com]
>>>> >> Sent: Wednesday, December 11, 2013 9:04 AM
>>>> >> To: OpenStack Development Mailing List (not for usage questions)
>>>> >> Subject: Re: [openstack-dev] [keystone] domain admin role query
>>>> >>
>>>> >>
>>>> >> On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <
>>>> jamielennox at redhat.com> wrote:
>>>> >> Using the default policies it will simply check for the admin role
>>>> and not care about the domain that admin is limited to. This is partially a
>>>> left over from the V2 api when there wasn't domains to worry > about.
>>>> >>
>>>> >> A better example of policies are in the file
>>>> etc/policy.v3cloudsample.json. In there you will see the rule for
>>>> create_project is:
>>>> >>
>>>> >> "identity:create_project": "rule:admin_required and
>>>> domain_id:%(project.domain_id)s",
>>>> >>
>>>> >> as opposed to (in policy.json):
>>>> >>
>>>> >> "identity:create_project": "rule:admin_required",
>>>> >>
>>>> >> This is what you are looking for to scope the admin role to a domain.
>>>> >>
>>>> >> We need to start moving the rules from policy.v3cloudsample.json to
>>>> the default policy.json =)
>>>> >>
>>>> >>
>>>> >> Jamie
>>>> >>
>>>> >> ----- Original Message -----
>>>> >>> From: "Ravi Chunduru" <ravivsn at gmail.com>
>>>> >>> To: "OpenStack Development Mailing List" <
>>>> openstack-dev at lists.openstack.org>
>>>> >>> Sent: Wednesday, 11 December, 2013 11:23:15 AM
>>>> >>> Subject: [openstack-dev] [keystone] domain admin role query
>>>> >>>
>>>> >>> Hi,
>>>> >>> I am trying out Keystone V3 APIs and domains.
>>>> >>> I created an domain, created a project in that domain, created an
>>>> user in
>>>> >>> that domain and project.
>>>> >>> Next, gave an admin role for that user in that domain.
>>>> >>>
>>>> >>> I am assuming that user is now admin to that domain.
>>>> >>> Now, I got a scoped token with that user, domain and project. With
>>>> that
>>>> >>> token, I tried to create a new project in that domain. It worked.
>>>> >>>
>>>> >>> But, using the same token, I could also create a new project in a
>>>> 'default'
>>>> >>> domain too. I expected it should throw authentication error. Is it
>>>> a bug?
>>>> >>>
>>>> >>> Thanks,
>>>> >>> --
>>>> >>> Ravi
>>>> >>>
>>>> >
>>>> > One of the issues I had this week while using the
>>>> policy.v3cloudsample.json was I had no easy way of creating a domain with
>>>> the id of 'admin_domain_id'. I basically had to modify the SQL directly to
>>>> do it.
>>>> >
>>>> > Any chance we can create a 2nd domain using 'admin_domain_id' via
>>>> keystone-manage sync_db?
>>>> >
>>>> > --
>>>> > Paul Belanger | PolyBeacon, Inc.
>>>> > Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
>>>> > Github: https://github.com/pabelanger | Twitter:
>>>> https://twitter.com/pabelanger
>>>> >
>>>> > _______________________________________________
>>>> > OpenStack-dev mailing list
>>>> > OpenStack-dev at lists.openstack.org
>>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>> >
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenStack-dev mailing list
>>>> OpenStack-dev at lists.openstack.org
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Ravi
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>
>>
>> --
>>
>> -Dolph
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Ravi
>
--
Ravi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131218/6dd8a270/attachment.html>
More information about the OpenStack-dev
mailing list