[openstack-dev] Mitaka: Identity V3 status and observations using domains

Nick Papadonis Fri, 19 Aug 2016 12:23:21 -0700

Hi Folks,

I'm playing with IDv3 in Mitaka and it doesn't seem to work as I'd expect.
Hopefully I'm understanding the way domains work.  The strategy is to
create a top level cloud_admin_dom and super user.  Then create a default
domain and admin user and default project and admin user.  Then create
another dom_0001 to test projects in a different domain.


The cloud_admin user works fine and appears to have privileges to do most
things.  Now, when I use the default domain admin user or default domain
default project admin user, I either get authentication issues from
Keystone or the policy json isn't allowing the default domain admin (not in
a project) to do things like list projects or users.  It appears folks have
used this a few different ways and appreciate insight from your experience.

As I understand the process (please correct me) is:

function get_id () {
    echo `"$@" | grep ' id ' | awk '{print $4}'`
}

# Create admin role
admin_role_id=$(get_id openstack role create admin)

# Create Cloud Admin Domain
cloud_admin_dom_id=$(get_id openstack domain create \
        --description "Cloud Admin Domain" cloud_admin_dom)

# Update policy for domain ID
cat /etc/keystone/policy.v3cloudsample.json | \
    sed -e "s/admin_domain_id/${cloud_admin_dom_id}/g" >
/etc/keystone/policy.json

# Create admin user for cloud admin domain
cloud_admin_user_id=$(get_id openstack user create \
        --password secrete \
        --domain "${cloud_admin_dom_id}" \
        --description "Cloud Admin Domain Admin" \
        admin_cloud_admin_dom)

# Assign admin role to admin user
openstack role add --domain "${cloud_admin_dom_id}" \
                   --user "${cloud_admin_user_id}" \
                   "${admin_role_id}"

# Create default domain (for legacy services)
def_dom_id=$(get_id openstack domain create \
            --description "Default Domain" default)

# Create admin user for default domain
def_user_id=$(get_id openstack user create \
            --password secrete \
            --domain "${def_dom_id}" \
            --description "Default Domain Admin" \
            admin_default_dom)

# Assign admin role to admin user
openstack role add --domain "${def_dom_id}" \
                   --user "${def_user_id}" \
                   --inherited \
                   "${admin_role_id}"

# Create default project in default domain (for legacy services)
project_id=$(get_id openstack project create "${DEFAULT_PROJECT}" \
    --description "Default Project" --domain "${cloud_admin_dom_id}"
--enable)

# Create admin user for default project in default domain
user_id=$(get_id openstack user create admin_dom_default_proj_default \
    --project "${project_id}" \
    --password secrete \
    --domain "${def_dom_id}")

# Assign admin role to admin user in default domain and default project
openstack role add --project "${project_id}" \
                   --user "${user_id}" \
                   --inherited \
                   "${admin_role_id}"

# Create service role
service_role_id=$(get_id openstack role create service)

# Create service project in default domain
project_id=$(get_id openstack project create service \
    --description "Service Tenant" --domain "${def_dom_id}" --enable)

# Create service project admin in default domain
user_id=$(get_id openstack user create admin_default_dom_proj_service \
    --project "${project_id}" \
    --password secrete \
    --domain "${def_dom_id}")

# Assign admin role to admin user in service project
openstack role add --domain "${def_dom_id}" \
                   --user "${user_id}" \
                   --inherited \
                   "${admin_role_id}"

# First other Domain - dom_0001
dom_id=$(get_id openstack domain create \
            --description "Default Domain" dom_0001

# Create admin user for dom_0001
user_id=$(get_id openstack user create \
            --password secrete \
            --domain "${dom_id}" \
            --description "dom_0001 Admin" \
            admin_dom_0001)

# Assign admin role to admin_dom_0001 in domain dom_0001
openstack role add --domain "${dom_id}" \
                   --user "${user_id}" \
                   --user-domain "${dom_id}" \
                   --inherited \
                   "${admin_role_id}"

==

Also note, when adding:
#--project-domain "${cloud_admin_dom_id}" \
 #--user-domain "${def_dom_id}" \

to openstack role add, I'm finding that OSC complains the user ID doesn't
exist in that specified domain, when OSC user list --log shows it does. Odd

Thanks,
Nick

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] Mitaka: Identity V3 status and observations using domains

Reply via email to