[openstack-dev] [keystone] domain admin role query
Florent Flament
florent.flament-ext at cloudwatt.com
Sat Jan 18 19:14:21 UTC 2014
Hi,
Following-up on this thread (although late), I have detailed the steps
allowing to have Keystone with multiple domains properly set:
http://www.florentflament.com/blog/setting-keystone-v3-domains.html
I hope that it may be useful for people willing to play with the
Identity v3 API and domains.
Florent Flament
On Wed, 2013-12-18 at 12:10 -0800, Ravi Chunduru wrote:
> Thanks Dolph,
> It worked now. I specified domain id in the scope.
>
>
> -Ravi.
>
>
> On Wed, Dec 18, 2013 at 12:05 PM, Ravi Chunduru <ravivsn at gmail.com>
> wrote:
> Hi Dolph,
> I dont have project yet to use in the scope. The intention
> is to get a token using domain admin credentials and create
> project using it.
>
>
> Thanks,
> -Ravi.
>
>
> On Wed, Dec 18, 2013 at 11:39 AM, Dolph Mathews
> <dolph.mathews at gmail.com> wrote:
>
> On Wed, Dec 18, 2013 at 12:48 PM, Ravi Chunduru
> <ravivsn at gmail.com> wrote:
> Thanks all for the information.
> I have now v3 policies in place, the issue is
> that as a domain admin I could not create a
> project in the domain. I get 403 unauthorized
> status.
>
>
> I see that when as a 'domain admin' request a
> token, the response did not have any roles.
> In the token request, I couldnt specify the
> project - as we are about to create the
> project in next step.
>
>
> Specify a domain as the "scope" to obtain domain-level
> authorization in the resulting token.
>
>
> See the third example under Scope:
>
>
> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#scope-scope
>
>
>
> Here is the complete request/response of all
> the steps done.
> https://gist.github.com/kumarcv/8015275
>
>
>
> I am assuming its a bug. Please let me know
> your opinions.
>
>
> Thanks,
> -Ravi.
>
>
>
>
>
>
> On Thu, Dec 12, 2013 at 3:00 PM, Henry Nash
> <henryn at linux.vnet.ibm.com> wrote:
> Hi
>
> So the idea wasn't the you create a
> domain with the id of
> 'domain_admin_id', rather that you
> create the domain that you plan to use
> for your admin domain, and then paste
> its (auto-generated) domain_id into
> the policy file.
>
> Henry
> On 12 Dec 2013, at 03:11, Paul
> Belanger
> <paul.belanger at polybeacon.com> wrote:
>
> > On 13-12-11 11:18 AM, Lyle, David
> wrote:
> >> +1 on moving the domain admin role
> rules to the default policy.json
> >>
> >> -David Lyle
> >>
> >> From: Dolph Mathews
> [mailto:dolph.mathews at gmail.com]
> >> Sent: Wednesday, December 11, 2013
> 9:04 AM
> >> To: OpenStack Development Mailing
> List (not for usage questions)
> >> Subject: Re: [openstack-dev]
> [keystone] domain admin role query
> >>
> >>
> >> On Tue, Dec 10, 2013 at 10:49 PM,
> Jamie Lennox <jamielennox at redhat.com>
> wrote:
> >> Using the default policies it will
> simply check for the admin role and
> not care about the domain that admin
> is limited to. This is partially a
> left over from the V2 api when there
> wasn't domains to worry > about.
> >>
> >> A better example of policies are in
> the file
> etc/policy.v3cloudsample.json. In
> there you will see the rule for
> create_project is:
> >>
> >> "identity:create_project":
> "rule:admin_required and domain_id:
> %(project.domain_id)s",
> >>
> >> as opposed to (in policy.json):
> >>
> >> "identity:create_project":
> "rule:admin_required",
> >>
> >> This is what you are looking for to
> scope the admin role to a domain.
> >>
> >> We need to start moving the rules
> from policy.v3cloudsample.json to the
> default policy.json =)
> >>
> >>
> >> Jamie
> >>
> >> ----- Original Message -----
> >>> From: "Ravi Chunduru"
> <ravivsn at gmail.com>
> >>> To: "OpenStack Development Mailing
> List"
> <openstack-dev at lists.openstack.org>
> >>> Sent: Wednesday, 11 December, 2013
> 11:23:15 AM
> >>> Subject: [openstack-dev]
> [keystone] domain admin role query
> >>>
> >>> Hi,
> >>> I am trying out Keystone V3 APIs
> and domains.
> >>> I created an domain, created a
> project in that domain, created an
> user in
> >>> that domain and project.
> >>> Next, gave an admin role for that
> user in that domain.
> >>>
> >>> I am assuming that user is now
> admin to that domain.
> >>> Now, I got a scoped token with
> that user, domain and project. With
> that
> >>> token, I tried to create a new
> project in that domain. It worked.
> >>>
> >>> But, using the same token, I could
> also create a new project in a
> 'default'
> >>> domain too. I expected it should
> throw authentication error. Is it a
> bug?
> >>>
> >>> Thanks,
> >>> --
> >>> Ravi
> >>>
> >
> > One of the issues I had this week
> while using the
> policy.v3cloudsample.json was I had no
> easy way of creating a domain with the
> id of 'admin_domain_id'. I basically
> had to modify the SQL directly to do
> it.
> >
> > Any chance we can create a 2nd
> domain using 'admin_domain_id' via
> keystone-manage sync_db?
> >
> > --
> > Paul Belanger | PolyBeacon, Inc.
> > Jabber: paul.belanger at polybeacon.com
> | IRC: pabelanger (Freenode)
> > Github:
> https://github.com/pabelanger |
> Twitter:
> https://twitter.com/pabelanger
> >
> >
> _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> >
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
>
> --
> Ravi
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
>
> --
>
>
> -Dolph
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
>
> --
> Ravi
>
>
>
>
>
> --
> Ravi
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list