[Openstack] muti-domain identity and security groups

David Stanek dstanek at dstanek.com
Thu Nov 17 14:29:01 UTC 2016

On 07-Nov 11:16, Sameer Kumar wrote:
> I have following questions:
> 1.     Can I assign a role defined in another domain to particular
> user belonging to a different project & domain? How to achieve this in
> Mitaka? For example can Bob be assigned to a member role in PRJ_B1 of
> Domain B while he originally belongs to PRJ_A1 of Domain A?

You should be able to use the CLI to do this. I'm not sure about how it
can be done in horizon. Example command:

  openstack role add --user user_in_domainA --user-domain domainA --project project_in_domainB Member 

You example data seems to have already done this. Ben and John (from
domainB) have the member role on a project in domainA. Is this causing
you trouble?

> 2.     Is there a way to create “Security Group” rules for an instance
> and define policies associated to user and his role in a project? For
> example, I want to allow certain users to use ssh and sftp
> functionalities on an instance but deny these access to other users?
> If not, is there any alternate to achieve the same.
> 3.     Can a user with admin role modify a shared network of project
> defined in another domain? For example can Bob (admin role in PRJ_A1
> and Domain A) modify/delete ports on network NET_3 which belongs to a
> PRJ_B1 of domain B?

I don't really know the answer to this, but I suspect that it depends on
the policy you have in place. What does your policy look like for those

david stanek
web: http://www.dstanek.com
blog: http://www.traceback.org

More information about the Openstack mailing list