[Openstack] restrict access for users between domains

Mon, 29 May 2017 08:14:33 -0700 

Hi friends,
is there way to define domain's admin and restrict this person to access only his domain? 

At the moment (Ocata release), if I :
- create domain by '_openstack domain create devtest_

- create user in the domain by '_openstack user create udevtest --domain 
devtest --password xxxxxx_
- create project in the domain by '_openstack project create devmin 
--domain devtest_

- assign role 'admin' to the user on both the domain and the project:
* _openstack role add admin --user udevtest --domain devtest_

* _openstack role add admin --project-domain devtest --project devmin 
--user udevtest_


then, using user's 'udevtest' credentials:

OS_REGION_NAME=RegionOne
OS_DEFAULT_DOMAIN=devtest
OS_USER_DOMAIN_NAME=devtest
OS_PROJECT_DOMAIN_NAME=devtest
OS_PROJECT_NAME=devmin
OS_USERNAME=udevtest
OS_PASSWORD=xxxxxxxxx

OS_AUTH_STRATEGY=keystone
OS_IDENTITY_API_VERSION=3
OS_AUTH_URL=http://controller:5000/v3
OS_INTERFACE=internal


I'm able to get a list of all users and projects in 'default' domain and 
even more - add / delete users and projects in 'default' domain.



In fact, user 'udevtest' has nothing to domain 'default', but assigned 
global role 'admin' - probably, that is the problem, because 
policy.json's rule 'admin_required' is just check for 'role:admin', 
which is true. On the other hand, if I create role 'admin' specific to 
domain 'devtest' and assign it to user on both domain and project in the 
domain, then I get error "*User f1c1cd3438c24255a2baa85f326dfc40 *(which 
is udevtest)*has no access to project 1dbbaf2fb0bc4d5da270e48d4a92bc62* 
(which is devmin)", so seems local roles doesn't matter.



Is the only way (I hope it's legacy way :-) ) to change policy.json (as 
some pages on Internet were suggesting) or I'm doing something wrong?


Thank you!

--
Volodymyr Litovka
  "Vision without Execution is Hallucination." -- Thomas Edison


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack






















					Reply via email to