[openstack-dev] Mitaka: Identity V3 status and observations using domains

Nick Papadonis npapadonis at gmail.com
Sat Aug 20 03:47:47 UTC 2016


Note that I'm creating all of this using the OS_TOKEN instead of going
through the API.  I wonder if that is causing the issue?

So far, my suspicions are that IDv3 with domains isn't fully baked in the
Mitaka bits.

On Fri, Aug 19, 2016 at 3:19 PM, Nick Papadonis <npapadonis at gmail.com>
wrote:

> Hi Folks,
>
> I'm playing with IDv3 in Mitaka and it doesn't seem to work as I'd
> expect.  Hopefully I'm understanding the way domains work.  The strategy is
> to create a top level cloud_admin_dom and super user.  Then create a
> default domain and admin user and default project and admin user.  Then
> create another dom_0001 to test projects in a different domain.
>
> The cloud_admin user works fine and appears to have privileges to do most
> things.  Now, when I use the default domain admin user or default domain
> default project admin user, I either get authentication issues from
> Keystone or the policy json isn't allowing the default domain admin (not in
> a project) to do things like list projects or users.  It appears folks have
> used this a few different ways and appreciate insight from your experience.
>
> As I understand the process (please correct me) is:
>
> function get_id () {
>     echo `"$@" | grep ' id ' | awk '{print $4}'`
> }
>
> # Create admin role
> admin_role_id=$(get_id openstack role create admin)
>
> # Create Cloud Admin Domain
> cloud_admin_dom_id=$(get_id openstack domain create \
>         --description "Cloud Admin Domain" cloud_admin_dom)
>
> # Update policy for domain ID
> cat /etc/keystone/policy.v3cloudsample.json | \
>     sed -e "s/admin_domain_id/${cloud_admin_dom_id}/g" >
> /etc/keystone/policy.json
>
> # Create admin user for cloud admin domain
> cloud_admin_user_id=$(get_id openstack user create \
>         --password secrete \
>         --domain "${cloud_admin_dom_id}" \
>         --description "Cloud Admin Domain Admin" \
>         admin_cloud_admin_dom)
>
> # Assign admin role to admin user
> openstack role add --domain "${cloud_admin_dom_id}" \
>                    --user "${cloud_admin_user_id}" \
>                    "${admin_role_id}"
>
> # Create default domain (for legacy services)
> def_dom_id=$(get_id openstack domain create \
>             --description "Default Domain" default)
>
> # Create admin user for default domain
> def_user_id=$(get_id openstack user create \
>             --password secrete \
>             --domain "${def_dom_id}" \
>             --description "Default Domain Admin" \
>             admin_default_dom)
>
> # Assign admin role to admin user
> openstack role add --domain "${def_dom_id}" \
>                    --user "${def_user_id}" \
>                    --inherited \
>                    "${admin_role_id}"
>
> # Create default project in default domain (for legacy services)
> project_id=$(get_id openstack project create "${DEFAULT_PROJECT}" \
>     --description "Default Project" --domain "${cloud_admin_dom_id}"
> --enable)
>
> # Create admin user for default project in default domain
> user_id=$(get_id openstack user create admin_dom_default_proj_default \
>     --project "${project_id}" \
>     --password secrete \
>     --domain "${def_dom_id}")
>
> # Assign admin role to admin user in default domain and default project
> openstack role add --project "${project_id}" \
>                    --user "${user_id}" \
>                    --inherited \
>                    "${admin_role_id}"
>
> # Create service role
> service_role_id=$(get_id openstack role create service)
>
> # Create service project in default domain
> project_id=$(get_id openstack project create service \
>     --description "Service Tenant" --domain "${def_dom_id}" --enable)
>
> # Create service project admin in default domain
> user_id=$(get_id openstack user create admin_default_dom_proj_service \
>     --project "${project_id}" \
>     --password secrete \
>     --domain "${def_dom_id}")
>
> # Assign admin role to admin user in service project
> openstack role add --domain "${def_dom_id}" \
>                    --user "${user_id}" \
>                    --inherited \
>                    "${admin_role_id}"
>
> # First other Domain - dom_0001
> dom_id=$(get_id openstack domain create \
>             --description "Default Domain" dom_0001
>
> # Create admin user for dom_0001
> user_id=$(get_id openstack user create \
>             --password secrete \
>             --domain "${dom_id}" \
>             --description "dom_0001 Admin" \
>             admin_dom_0001)
>
> # Assign admin role to admin_dom_0001 in domain dom_0001
> openstack role add --domain "${dom_id}" \
>                    --user "${user_id}" \
>                    --user-domain "${dom_id}" \
>                    --inherited \
>                    "${admin_role_id}"
>
> ==
>
> Also note, when adding:
> #--project-domain "${cloud_admin_dom_id}" \
>  #--user-domain "${def_dom_id}" \
>
> to openstack role add, I'm finding that OSC complains the user ID doesn't
> exist in that specified domain, when OSC user list --log shows it does. Odd
>
> Thanks,
> Nick
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160819/70353b74/attachment.html>


More information about the OpenStack-dev mailing list