[openstack-dev] [keystone] Domain admin roles

Dolph Mathews dolph.mathews at gmail.com
Thu Jun 6 14:42:54 UTC 2013


We're on our way to supporting domain-based role assignments in
policy.json, but it's not quite there in grizzly. Related bug:

  https://bugs.launchpad.net/keystone/+bug/1187198

(this should probably be turned into a blueprint)

-Dolph

On Thu, Jun 6, 2013 at 9:10 AM, Gaspareto, Otavio <
otavio.barcelos-gaspareto at hp.com> wrote:

>  Hi Dolph/Guang,****
>
> ** **
>
> I’m implementing here a new role, called *domain_admin*, where the user
> with this role will be a manager inside his domain. For this, I’ve created
> this entry into the policy.json file: ****
>
> ** **
>
> *"domain_admin_required" : [["role:domain_admin",
> "domain_id:%(domain_id)s"]],*
>
> ** **
>
> Testing some services marked with this rule, and using an user that is a *
> domain_admin* I could perform operations in other domains, like create
> project.****
>
> ** **
>
> So, my question: this rule *"domain_id:%(domain_id)s" * shouldn’t* *block
> operations on domains different from mine?****
>
> ** **
>
> Another info, I’m using domain scoped authentication.****
>
> ** **
>
> Thanks,****
>
> ** **
>
> *Otavio Gaspareto
> *Software Designer
>
> otavio.gaspareto at hp.com
> T +55 51 2121 3832
> Hewlett-Packard Company
> 6681 Ipiranga Ave.
> Porto Alegre, RS, 90619-900
> Brazil
>
> [image: HP] <http://www.hp.com/>
>
> Please print thoughtfully****
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130606/c527f0e4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3690 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130606/c527f0e4/attachment.png>


More information about the OpenStack-dev mailing list