[Openstack] muti-domain identity and security groups
Sameer Kumar
openstack.user.16 at gmail.com
Mon Nov 7 05:46:07 UTC 2016
I have a single machine DevStack (Mitaka) setup. I have enabled multi
domain functionality and am able to create multiple domains in my
setup through Horizon.
I created 2 domains, Domain A and Domain B.
In Domain A, I created two projects PRJ_A1 and PRJ_A2 similarly in
Domain B I created PRJ_B1 and PRJ_B2.
In each project I created one instance namely INST_A1_1, INST_A2_1,
INSTB1_1, INST_B2_1.
Following networks were created in projects :
PRJ_A1 has a private network NET_1 (subnet 10.0.0.0)
PRJ_A2 has a public shared network NET_2 (subnet 120.20.20.0)
PRJ_A3 has a private shared network NET_3 (subnet 30.0.0.0)
PRJ_A4 public network NET_4 (subnet 140.40.40.0)
NET_2 and NET_3 are shared only with project PRJ_A1 through RBAC
Domain A has following users and roles:
Bob admin role for PRJ_A1 and PRJ_A2
Nick member role for PRJ_A1
Domain B has following users and roles:
Ben admin role for PRJ_A1
John member role for PRJ_A1
Following Security Groups were created and attached to instances :
SG1 for INST_A1_1
SG2 for INST_A2_1
SG3 for INST_A3_1
SG4 for INST_A4_1
I have following questions:
1. Can I assign a role defined in another domain to particular
user belonging to a different project & domain? How to achieve this in
Mitaka? For example can Bob be assigned to a member role in PRJ_B1 of
Domain B while he originally belongs to PRJ_A1 of Domain A?
2. Is there a way to create “Security Group” rules for an instance
and define policies associated to user and his role in a project? For
example, I want to allow certain users to use ssh and sftp
functionalities on an instance but deny these access to other users?
If not, is there any alternate to achieve the same.
3. Can a user with admin role modify a shared network of project
defined in another domain? For example can Bob (admin role in PRJ_A1
and Domain A) modify/delete ports on network NET_3 which belongs to a
PRJ_B1 of domain B?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20161107/9593f343/attachment.html>
More information about the Openstack
mailing list