Thanks all for the information. I have now v3 policies in place, the issue is that as a domain admin I could not create a project in the domain. I get 403 unauthorized status.
I see that when as a 'domain admin' request a token, the response did not have any roles. In the token request, I couldnt specify the project - as we are about to create the project in next step. Here is the complete request/response of all the steps done. https://gist.github.com/kumarcv/8015275 I am assuming its a bug. Please let me know your opinions. Thanks, -Ravi. On Thu, Dec 12, 2013 at 3:00 PM, Henry Nash <[email protected]>wrote: > Hi > > So the idea wasn't the you create a domain with the id of > 'domain_admin_id', rather that you create the domain that you plan to use > for your admin domain, and then paste its (auto-generated) domain_id into > the policy file. > > Henry > On 12 Dec 2013, at 03:11, Paul Belanger <[email protected]> > wrote: > > > On 13-12-11 11:18 AM, Lyle, David wrote: > >> +1 on moving the domain admin role rules to the default policy.json > >> > >> -David Lyle > >> > >> From: Dolph Mathews [mailto:[email protected]] > >> Sent: Wednesday, December 11, 2013 9:04 AM > >> To: OpenStack Development Mailing List (not for usage questions) > >> Subject: Re: [openstack-dev] [keystone] domain admin role query > >> > >> > >> On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <[email protected]> > wrote: > >> Using the default policies it will simply check for the admin role and > not care about the domain that admin is limited to. This is partially a > left over from the V2 api when there wasn't domains to worry > about. > >> > >> A better example of policies are in the file > etc/policy.v3cloudsample.json. In there you will see the rule for > create_project is: > >> > >> "identity:create_project": "rule:admin_required and > domain_id:%(project.domain_id)s", > >> > >> as opposed to (in policy.json): > >> > >> "identity:create_project": "rule:admin_required", > >> > >> This is what you are looking for to scope the admin role to a domain. > >> > >> We need to start moving the rules from policy.v3cloudsample.json to the > default policy.json =) > >> > >> > >> Jamie > >> > >> ----- Original Message ----- > >>> From: "Ravi Chunduru" <[email protected]> > >>> To: "OpenStack Development Mailing List" < > [email protected]> > >>> Sent: Wednesday, 11 December, 2013 11:23:15 AM > >>> Subject: [openstack-dev] [keystone] domain admin role query > >>> > >>> Hi, > >>> I am trying out Keystone V3 APIs and domains. > >>> I created an domain, created a project in that domain, created an user > in > >>> that domain and project. > >>> Next, gave an admin role for that user in that domain. > >>> > >>> I am assuming that user is now admin to that domain. > >>> Now, I got a scoped token with that user, domain and project. With that > >>> token, I tried to create a new project in that domain. It worked. > >>> > >>> But, using the same token, I could also create a new project in a > 'default' > >>> domain too. I expected it should throw authentication error. Is it a > bug? > >>> > >>> Thanks, > >>> -- > >>> Ravi > >>> > > > > One of the issues I had this week while using the > policy.v3cloudsample.json was I had no easy way of creating a domain with > the id of 'admin_domain_id'. I basically had to modify the SQL directly to > do it. > > > > Any chance we can create a 2nd domain using 'admin_domain_id' via > keystone-manage sync_db? > > > > -- > > Paul Belanger | PolyBeacon, Inc. > > Jabber: [email protected] | IRC: pabelanger (Freenode) > > Github: https://github.com/pabelanger | Twitter: > https://twitter.com/pabelanger > > > > _______________________________________________ > > OpenStack-dev mailing list > > [email protected] > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Ravi
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
