[keystone] Token

Adam Tomas bkslash at poczta.onet.pl
Mon Apr 26 13:50:25 UTC 2021


Hello,
really no one knows how to do it?
Best regards,
Adam

> Wiadomość napisana przez Adam Tomas <bkslash at poczta.onet.pl> w dniu 23.04.2021, o godz. 14:54:
> 
> Hi 
> Which CLI setting sets domain_id field in a token? I tried 
> 
> openstack —os-domain-id SOME_OS_COMMAND, 
> openstack —os-default-domain SOME_OS_COMMAND, 
> openstack —os-default-domain_id SOME_OS_COMMAND
> 
> but none of them sets this field and policies checking domain_id:%(domain_id) don’t work because of that. Interesting thing is that horizon somehow generates token with domain_id set and everything works with the same policies, I have a problem only with CLI. Can user_domain_id (which is inside of every token is see for particular user) be used instead of domain_id? 
> 
> Example token from CLI:
> 2021-04-23 12:16:38.090 700 DEBUG keystone.server.flask.request_processing.middleware.auth_context [req-117bc600-490e-46ae-a857-0c8d09dc1dbc 9adbxxxxb02ef 61d4xxxx9c0f - 3a08xxxx82c1 3a08xxxx82c1] RBAC: auth_context: {'token': <TokenModel (audit_id=BLWXSpdbTvqc0YS9WzStjQ, audit_chain_id=['BLWXSpdbTvqc0YS9WzStjQ']) at 0x7f8c390aaca0>,
> 'domain_id': None, 'trust_id': None, 'trustor_id': None, 'trustee_id': None, 'domain_name': None, 'group_ids': [], 'user_id': '9adbxxxx02ef', 'user_domain_id': '3a08xxxx82c1', 'system_scope': None, 'project_id': '61d4xxxx9c0f', 'project_domain_id': '3a08xxxx82c1', 'roles': ['member', 'project_admin', 'reader', 'domain_admin'], 'is_admin_project': True, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []} fill_context /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/middleware/auth_context.py:478
> 
> Example token from Horizon:
> 2021-04-23 12:48:21.009 704 DEBUG keystone.server.flask.request_processing.middleware.auth_context [req-d6d89d3e-c3c1-48c0-b3ed-b3dcedb54db3 9adbxxxx02ef - 3a08xxxx82c1 3a08xxxx82c1 -] RBAC: auth_context: {'token': <TokenModel (audit_id=ZHltw2esTJyTRnFlgHetog, audit_chain_id=['ZHltw2esTJyTRnFlgHetog', 'iJGq-E9fQKKXdZaZq72MQw']) at 0x7f8c3a1b4460>, 'domain_id': '3a08xxx82c1', 'trust_id': None, 'trustor_id': None, 'trustee_id': None, 'domain_name': ‚xxxx', 'group_ids': [], 'user_id': '9adbxxxx02ef', 'user_domain_id': '3a08xxxx82c1', 'system_scope': None, 'project_id': None, 'project_domain_id': None, 'roles': ['project_admin', 'member', 'reader', 'domain_admin'], 'is_admin_project': False, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []} fill_context /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/middleware/auth_context.py:478
> 
> Best regards
> Adam

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210426/417d7d69/attachment-0001.html>


More information about the openstack-discuss mailing list