[Openstack] restrict access for users between domains

Volodymyr Litovka doka.ua at gmx.com
Mon May 29 15:09:28 UTC 2017


Hi friends,

is there way to define domain's admin and restrict this person to access 
only his domain?

At the moment (Ocata release), if I :
- create domain by '_openstack domain create devtest_
- create user in the domain by '_openstack user create udevtest --domain 
devtest --password xxxxxx_
- create project in the domain by '_openstack project create devmin 
--domain devtest_
- assign role 'admin' to the user on both the domain and the project:
* _openstack role add admin --user udevtest --domain devtest_
* _openstack role add admin --project-domain devtest --project devmin 
--user udevtest_

then, using user's 'udevtest' credentials:

OS_REGION_NAME=RegionOne
OS_DEFAULT_DOMAIN=devtest
OS_USER_DOMAIN_NAME=devtest
OS_PROJECT_DOMAIN_NAME=devtest
OS_PROJECT_NAME=devmin
OS_USERNAME=udevtest
OS_PASSWORD=xxxxxxxxx

OS_AUTH_STRATEGY=keystone
OS_IDENTITY_API_VERSION=3
OS_AUTH_URL=http://controller:5000/v3
OS_INTERFACE=internal

I'm able to get a list of all users and projects in 'default' domain and 
even more - add / delete users and projects in 'default' domain.

In fact, user 'udevtest' has nothing to domain 'default', but assigned 
global role 'admin' - probably, that is the problem, because 
policy.json's rule 'admin_required' is just check for 'role:admin', 
which is true. On the other hand, if I create role 'admin' specific to 
domain 'devtest' and assign it to user on both domain and project in the 
domain, then I get error "*User f1c1cd3438c24255a2baa85f326dfc40 *(which 
is udevtest)*has no access to project 1dbbaf2fb0bc4d5da270e48d4a92bc62* 
(which is devmin)", so seems local roles doesn't matter.

Is the only way (I hope it's legacy way :-) ) to change policy.json (as 
some pages on Internet were suggesting) or I'm doing something wrong?

Thank you!

-- 
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20170529/634aaa8d/attachment.html>


More information about the Openstack mailing list