[Openstack-operators] Keystone permissions

Adam Young ayoung at redhat.com
Sat Apr 26 15:01:05 UTC 2014


On 04/26/2014 01:32 AM, Stuart Fox wrote:
> Hey all
>
> Im having trouble figuring out how to grant a single user the right to create other users in a specific project only.
> I don’t want that user having admin rights to any other part of the system. Is that possible in the havana 2.2 release?
>
> BR,
> Stuart
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators


You need a role:  lets call it 'project-doorman'.  You need to ensure 
that a user has that role on the specified project when calling any 
functions that add a role to a user;

For V2 that is managed by OS_KS_ADM  which can be found in 
keystone/contrib/admin.

'add_role_to_user'

Things are a little neater in V3.

You will need to have a rule in the policy file for add_role_to_user  
that enforces  role:project-doorman



More information about the OpenStack-operators mailing list