Hi, Following-up on this thread (although late), I have detailed the steps allowing to have Keystone with multiple domains properly set: http://www.florentflament.com/blog/setting-keystone-v3-domains.html
I hope that it may be useful for people willing to play with the Identity v3 API and domains. Florent Flament On Wed, 2013-12-18 at 12:10 -0800, Ravi Chunduru wrote: > Thanks Dolph, > It worked now. I specified domain id in the scope. > > > -Ravi. > > > On Wed, Dec 18, 2013 at 12:05 PM, Ravi Chunduru <ravi...@gmail.com> > wrote: > Hi Dolph, > I dont have project yet to use in the scope. The intention > is to get a token using domain admin credentials and create > project using it. > > > Thanks, > -Ravi. > > > On Wed, Dec 18, 2013 at 11:39 AM, Dolph Mathews > <dolph.math...@gmail.com> wrote: > > On Wed, Dec 18, 2013 at 12:48 PM, Ravi Chunduru > <ravi...@gmail.com> wrote: > Thanks all for the information. > I have now v3 policies in place, the issue is > that as a domain admin I could not create a > project in the domain. I get 403 unauthorized > status. > > > I see that when as a 'domain admin' request a > token, the response did not have any roles. > In the token request, I couldnt specify the > project - as we are about to create the > project in next step. > > > Specify a domain as the "scope" to obtain domain-level > authorization in the resulting token. > > > See the third example under Scope: > > > > https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#scope-scope > > > > Here is the complete request/response of all > the steps done. > https://gist.github.com/kumarcv/8015275 > > > > I am assuming its a bug. Please let me know > your opinions. > > > Thanks, > -Ravi. > > > > > > > On Thu, Dec 12, 2013 at 3:00 PM, Henry Nash > <hen...@linux.vnet.ibm.com> wrote: > Hi > > So the idea wasn't the you create a > domain with the id of > 'domain_admin_id', rather that you > create the domain that you plan to use > for your admin domain, and then paste > its (auto-generated) domain_id into > the policy file. > > Henry > On 12 Dec 2013, at 03:11, Paul > Belanger > <paul.belan...@polybeacon.com> wrote: > > > On 13-12-11 11:18 AM, Lyle, David > wrote: > >> +1 on moving the domain admin role > rules to the default policy.json > >> > >> -David Lyle > >> > >> From: Dolph Mathews > [mailto:dolph.math...@gmail.com] > >> Sent: Wednesday, December 11, 2013 > 9:04 AM > >> To: OpenStack Development Mailing > List (not for usage questions) > >> Subject: Re: [openstack-dev] > [keystone] domain admin role query > >> > >> > >> On Tue, Dec 10, 2013 at 10:49 PM, > Jamie Lennox <jamielen...@redhat.com> > wrote: > >> Using the default policies it will > simply check for the admin role and > not care about the domain that admin > is limited to. This is partially a > left over from the V2 api when there > wasn't domains to worry > about. > >> > >> A better example of policies are in > the file > etc/policy.v3cloudsample.json. In > there you will see the rule for > create_project is: > >> > >> "identity:create_project": > "rule:admin_required and domain_id: > %(project.domain_id)s", > >> > >> as opposed to (in policy.json): > >> > >> "identity:create_project": > "rule:admin_required", > >> > >> This is what you are looking for to > scope the admin role to a domain. > >> > >> We need to start moving the rules > from policy.v3cloudsample.json to the > default policy.json =) > >> > >> > >> Jamie > >> > >> ----- Original Message ----- > >>> From: "Ravi Chunduru" > <ravi...@gmail.com> > >>> To: "OpenStack Development Mailing > List" > <openstack-dev@lists.openstack.org> > >>> Sent: Wednesday, 11 December, 2013 > 11:23:15 AM > >>> Subject: [openstack-dev] > [keystone] domain admin role query > >>> > >>> Hi, > >>> I am trying out Keystone V3 APIs > and domains. > >>> I created an domain, created a > project in that domain, created an > user in > >>> that domain and project. > >>> Next, gave an admin role for that > user in that domain. > >>> > >>> I am assuming that user is now > admin to that domain. > >>> Now, I got a scoped token with > that user, domain and project. With > that > >>> token, I tried to create a new > project in that domain. It worked. > >>> > >>> But, using the same token, I could > also create a new project in a > 'default' > >>> domain too. I expected it should > throw authentication error. Is it a > bug? > >>> > >>> Thanks, > >>> -- > >>> Ravi > >>> > > > > One of the issues I had this week > while using the > policy.v3cloudsample.json was I had no > easy way of creating a domain with the > id of 'admin_domain_id'. I basically > had to modify the SQL directly to do > it. > > > > Any chance we can create a 2nd > domain using 'admin_domain_id' via > keystone-manage sync_db? > > > > -- > > Paul Belanger | PolyBeacon, Inc. > > Jabber: paul.belan...@polybeacon.com > | IRC: pabelanger (Freenode) > > Github: > https://github.com/pabelanger | > Twitter: > https://twitter.com/pabelanger > > > > > > _______________________________________________ > > OpenStack-dev mailing list > > OpenStack-dev@lists.openstack.org > > > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > -- > Ravi > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > -- > > > -Dolph > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > > > -- > Ravi > > > > > > -- > Ravi > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev