[Openstack] Projects deals tricky job
Hi Folks, Is it possible to create a project admin in openstack. As we identified when ever we created a project admin it will show entire cloud (Like : other users and all services completely admin access). but i want to see the particular project users,admins and control all the services. Guys please help me this part. I am really very confused. Regards, Venkatesh.k ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Projects deals tricky job
I believe you are trying to accomplish the same configuration as I do, so I think domains are the answer. You can devide your cloud into different domains and grant admin rights to specific users, which are not authorized to see the other domains. Although I'm still not sure if I did it correctly and it's not fully resolved yet, here is a thread I started a few days ago: http://lists.openstack.org/pipermail/openstack/2016-June/016454.html Regards, Eugen Zitat von Venkatesh Kotipalli : Hi Folks, Is it possible to create a project admin in openstack. As we identified when ever we created a project admin it will show entire cloud (Like : other users and all services completely admin access). but i want to see the particular project users,admins and control all the services. Guys please help me this part. I am really very confused. Regards, Venkatesh.k -- Eugen Block voice : +49-40-559 51 75 NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77 Postfach 61 03 15 D-22423 Hamburg e-mail : ebl...@nde.ag Vorsitzende des Aufsichtsrates: Angelika Mozdzen Sitz und Registergericht: Hamburg, HRB 90934 Vorstand: Jens-U. Mozdzen USt-IdNr. DE 814 013 983 ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Projects deals tricky job
That's HMT or 'reseller use case', you can implement something similar by using 'flat hierarchies', but by default, as you experienced, any admin, even if under a tenant, is an admin of the whole infrastructure. Regards, Pablo +++ Venkatesh Kotipalli [20/06/16 17:05 +0530]: Hi Folks, Is it possible to create a project admin in openstack. As we identified when ever we created a project admin it will show entire cloud (Like : other users and all services completely admin access). but i want to see the particular project users,admins and control all the services. Guys please help me this part. I am really very confused. Regards, Venkatesh.k ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -- Pablo Iranzo Gómez (pablo.ira...@redhat.com) GnuPG: 0x5BD8E1E4 Senior Technical Account Manager RHC{A,SS,DS,VA,E,SA,SP,AOSP}, JBCAA #110-215-852 signature.asc Description: PGP signature ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Projects deals tricky job
We implemented something here at Symantec that sounds very similar to what you¹re both talking about. We have three levels of Admin - Cloud, Domain, and Project. If you¹re interested in checking it out, we actually presented on this topic in Austin. The presentation : https://www.youtube.com/watch?v=v79kNddKbLc All the referenced files can be found in our github here : https://github.com/Symantec/Openstack_RBAC Specifically you may want to check out our keystone policy file that defines cloud_admin domain_admin and project_admin : https://github.com/Symantec/Openstack_RBAC/blob/master/keystone/policy.json Tim On 6/20/16, 5:17 AM, "Eugen Block" wrote: >I believe you are trying to accomplish the same configuration as I do, >so I think domains are the answer. You can devide your cloud into >different domains and grant admin rights to specific users, which are >not authorized to see the other domains. Although I'm still not sure >if I did it correctly and it's not fully resolved yet, here is a >thread I started a few days ago: > >http://lists.openstack.org/pipermail/openstack/2016-June/016454.html > >Regards, >Eugen > >Zitat von Venkatesh Kotipalli : > >> Hi Folks, >> >> Is it possible to create a project admin in openstack. >> >> As we identified when ever we created a project admin it will show >>entire >> cloud (Like : other users and all services completely admin access). >>but i >> want to see the particular project users,admins and control all the >> services. >> >> Guys please help me this part. I am really very confused. >> >> Regards, >> Venkatesh.k > > > >-- >Eugen Block voice : +49-40-559 51 75 >NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77 >Postfach 61 03 15 >D-22423 Hamburg e-mail : ebl...@nde.ag > > Vorsitzende des Aufsichtsrates: Angelika Mozdzen > Sitz und Registergericht: Hamburg, HRB 90934 > Vorstand: Jens-U. Mozdzen >USt-IdNr. DE 814 013 983 > > >___ >Mailing list: >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >Post to : openstack@lists.openstack.org >Unsubscribe : >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Re: [Openstack] Projects deals tricky job
Thanks for the information, I'll definitely get to it. But right now I'm having some trouble with domain_id in the keystone_policy.json. I believe I'm also affected by this bug https://bugs.launchpad.net/python-openstackclient/+bug/1538804 I switched to the stable/liberty policy.v3cloudsample.json because the value for "token.is_admin_project:True or domain_id:admin_domain_id" lead to errors in authentication. Using "rule:admin_required and domain_id:default" works if I use Horizon (I see the output in keystone.log), but it fails to authenticate while using CLI because for some reason "domain_id" is never read by the client. As a workaround I changed the rule to "cloud_admin": "rule:admin_required and (domain_id:default or user_domain_id:default)" that seems to work fine, and I already tried it with user_id instead of domain_id, but I can't predict the consequences. What is the recommendation here until the CLI client will be able to read domain_id? Regards, Eugen Zitat von Timothy Symanczyk : We implemented something here at Symantec that sounds very similar to what you¹re both talking about. We have three levels of Admin - Cloud, Domain, and Project. If you¹re interested in checking it out, we actually presented on this topic in Austin. The presentation : https://www.youtube.com/watch?v=v79kNddKbLc All the referenced files can be found in our github here : https://github.com/Symantec/Openstack_RBAC Specifically you may want to check out our keystone policy file that defines cloud_admin domain_admin and project_admin : https://github.com/Symantec/Openstack_RBAC/blob/master/keystone/policy.json Tim On 6/20/16, 5:17 AM, "Eugen Block" wrote: I believe you are trying to accomplish the same configuration as I do, so I think domains are the answer. You can devide your cloud into different domains and grant admin rights to specific users, which are not authorized to see the other domains. Although I'm still not sure if I did it correctly and it's not fully resolved yet, here is a thread I started a few days ago: http://lists.openstack.org/pipermail/openstack/2016-June/016454.html Regards, Eugen Zitat von Venkatesh Kotipalli : Hi Folks, Is it possible to create a project admin in openstack. As we identified when ever we created a project admin it will show entire cloud (Like : other users and all services completely admin access). but i want to see the particular project users,admins and control all the services. Guys please help me this part. I am really very confused. Regards, Venkatesh.k -- Eugen Block voice : +49-40-559 51 75 NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77 Postfach 61 03 15 D-22423 Hamburg e-mail : ebl...@nde.ag Vorsitzende des Aufsichtsrates: Angelika Mozdzen Sitz und Registergericht: Hamburg, HRB 90934 Vorstand: Jens-U. Mozdzen USt-IdNr. DE 814 013 983 ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack -- Eugen Block voice : +49-40-559 51 75 NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77 Postfach 61 03 15 D-22423 Hamburg e-mail : ebl...@nde.ag Vorsitzende des Aufsichtsrates: Angelika Mozdzen Sitz und Registergericht: Hamburg, HRB 90934 Vorstand: Jens-U. Mozdzen USt-IdNr. DE 814 013 983 ___ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack