[Openstack] muti-domain identity and security groups
David Stanek
dstanek at dstanek.com
Thu Nov 17 14:29:01 UTC 2016
On 07-Nov 11:16, Sameer Kumar wrote:
>
> I have following questions:
>
>
> 1. Can I assign a role defined in another domain to particular
> user belonging to a different project & domain? How to achieve this in
> Mitaka? For example can Bob be assigned to a member role in PRJ_B1 of
> Domain B while he originally belongs to PRJ_A1 of Domain A?
You should be able to use the CLI to do this. I'm not sure about how it
can be done in horizon. Example command:
openstack role add --user user_in_domainA --user-domain domainA --project project_in_domainB Member
You example data seems to have already done this. Ben and John (from
domainB) have the member role on a project in domainA. Is this causing
you trouble?
>
> 2. Is there a way to create “Security Group” rules for an instance
> and define policies associated to user and his role in a project? For
> example, I want to allow certain users to use ssh and sftp
> functionalities on an instance but deny these access to other users?
> If not, is there any alternate to achieve the same.
>
>
> 3. Can a user with admin role modify a shared network of project
> defined in another domain? For example can Bob (admin role in PRJ_A1
> and Domain A) modify/delete ports on network NET_3 which belongs to a
> PRJ_B1 of domain B?
I don't really know the answer to this, but I suspect that it depends on
the policy you have in place. What does your policy look like for those
operations?
--
david stanek
web: http://www.dstanek.com
blog: http://www.traceback.org
More information about the Openstack
mailing list