[openstack-dev] [keystone] Domain admin roles

Henry Nash henryn at linux.vnet.ibm.com
Thu Jun 6 15:05:50 UTC 2013 

To expand on Dolph's comments, the restriction in Grizzly  is that you can include a domain_id check in your policy file against apis - however, this will only work if the objects in the parameters of the api calls includes the domain_id (so that it can be checked by the policy engine).  So for instance you can restrict the creation of users, groups and projects to the domain scope of a user by including a policy rule like:

> "domain_id:%(user.domain_id)s"
> 

(substitute group or project for user in the above as required).  

The issue is, of course, that this only works for create (since you are passing the object to create), but doesn't work for update or delete.  Extending keystone to enable rule definition that checks the object the api will operate on is what we are working on for Havana.

There is a blueprint for this already : https://blueprints.launchpad.net/keystone/+spec/policy-on-api-target

Henry

On 6 Jun 2013, at 15:42, Dolph Mathews wrote:

> We're on our way to supporting domain-based role assignments in policy.json, but it's not quite there in grizzly. Related bug:
> 
>   https://bugs.launchpad.net/keystone/+bug/1187198
> 
> (this should probably be turned into a blueprint)
> 
> -Dolph
> 
> On Thu, Jun 6, 2013 at 9:10 AM, Gaspareto, Otavio <otavio.barcelos-gaspareto at hp.com> wrote:
> Hi Dolph/Guang,
> 
>  
> 
> I’m implementing here a new role, called domain_admin, where the user with this role will be a manager inside his domain. For this, I’ve created this entry into the policy.json file:
> 
>  
> 
> "domain_admin_required" : [["role:domain_admin", "domain_id:%(domain_id)s"]],
> 
>  
> 
> Testing some services marked with this rule, and using an user that is a domain_admin I could perform operations in other domains, like create project.
> 
>  
> 
> So, my question: this rule "domain_id:%(domain_id)s" shouldn’t block operations on domains different from mine?
> 
>  
> 
> Another info, I’m using domain scoped authentication.
> 
>  
> 
> Thanks,
> 
>  
> 
> Otavio Gaspareto
> Software Designer
> 
> otavio.gaspareto at hp.com
> T +55 51 2121 3832
> Hewlett-Packard Company
> 6681 Ipiranga Ave.
> Porto Alegre, RS, 90619-900
> Brazil
> 
> <image001.png>
> 
> Please print thoughtfully
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130606/8264e6c7/attachment.html>

More information about the OpenStack-dev mailing list