[openstack-dev] [panko][ceilometer][keystone] Support X-Is-Admin-Project

Innus, Martins minnus at buffalo.edu
Fri Sep 8 14:12:45 UTC 2017


Gord,

Thanks for the reply.

On Sep 7, 2017, at 4:15 PM, gordon chung <gord at live.ca<mailto:gord at live.ca>> wrote:



On 2017-09-07 02:15 PM, Innus, Martins wrote:
The fix seems to be something like the attached patch and setting the appropriate configs in keystone.conf.


One curious thing is that with the default keystone config, requests from all projects have "X-Is-Admin-Project: True”

If I set admin_project_domain_name and admin_project_name , only then do the non admin projects have the header set to False.

apologies, do you have more details on what 'X-Is-Admin-Project' is? i'm
not familiar with this header.


As far as I can tell its meant for designating an overall cloud admin account. Reference to creation of the keystone config options:

https://review.openstack.org/#/c/240719/

Where the HEAT team seems to have used it for the same purpose, but by making changes in the policy.json:

https://review.openstack.org/#/c/316627/

But in my limited understating of how Panko works, using the header seems to be the easiest way to get this functionality:

https://github.com/openstack/keystonemiddleware/commit/0562670d4e56c257aec8db5a2bb651b5e59fddb2


currently, the behaviour is that:
- a member of a project can only see its own events
- an admin of a project can see all the events of a project (and any
events without any project associated with it)

if this is the way of denoting a user is a 'super-admin' that has access
to all events, i'm ok with it.


Yeah, thats what I’m going for, but as I said, I’ve barely stared to scratch the surface of OpenStack, so there way be a better way of doing this.

Thanks

Martins

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170908/4522c6ca/attachment.html>


More information about the OpenStack-dev mailing list