[Openstack] muti-domain identity and security groups

Sameer Kumar openstack.user.16 at gmail.com
Mon Nov 7 05:46:07 UTC 2016

I have a single machine DevStack (Mitaka) setup. I have enabled multi
domain functionality and am able to create multiple domains in my
setup through Horizon.

I created 2 domains, Domain A and Domain B.

In Domain A, I created two projects PRJ_A1 and PRJ_A2 similarly in
Domain B I created PRJ_B1 and PRJ_B2.

In each project I created one instance namely INST_A1_1, INST_A2_1,
INSTB1_1, INST_B2_1.

Following networks were created in projects :

PRJ_A1 has a private network NET_1 (subnet

PRJ_A2 has a public shared network NET_2 (subnet

PRJ_A3 has a private shared network NET_3 (subnet

PRJ_A4 public network NET_4 (subnet

NET_2 and NET_3 are shared only with project PRJ_A1 through RBAC

Domain A has following users and roles:

Bob admin role for PRJ_A1 and PRJ_A2

Nick member role for PRJ_A1

Domain B has following users and roles:

Ben admin role for PRJ_A1

John member role for PRJ_A1

Following Security Groups were created and attached to instances :

SG1 for INST_A1_1

SG2 for INST_A2_1

SG3 for INST_A3_1

SG4 for INST_A4_1

I have following questions:

1.     Can I assign a role defined in another domain to particular
user belonging to a different project & domain? How to achieve this in
Mitaka? For example can Bob be assigned to a member role in PRJ_B1 of
Domain B while he originally belongs to PRJ_A1 of Domain A?

2.     Is there a way to create “Security Group” rules for an instance
and define policies associated to user and his role in a project? For
example, I want to allow certain users to use ssh and sftp
functionalities on an instance but deny these access to other users?
If not, is there any alternate to achieve the same.

3.     Can a user with admin role modify a shared network of project
defined in another domain? For example can Bob (admin role in PRJ_A1
and Domain A) modify/delete ports on network NET_3 which belongs to a
PRJ_B1 of domain B?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20161107/9593f343/attachment.html>

More information about the Openstack mailing list