Re: [openstack-dev] Kilo v3 identity problems
On 06/03/2015 10:29 AM, Amy Zhang wrote: Hi guys, I have installed Kilo and try to use identity v3. I am using v3 policy file. I changed the domain_id for cloud admin as "default". As cloud admin, I tried "openstack domain list" and got the error message saying that I was not authorized. The part I changed in policy.json: "cloud_admin": "rule:admin_required and domain_id:default", The error I got from "openstack domain list": ERROR: openstack You are not authorized to perform the requested action: identity:create_domain (Disable debug mode to suppress these details.) (HTTP 403) (Request-ID: req-2f42b1da-9933-4494-9b39-c1664d154377) Has anyone tried identity v3 in Kilo? Did you have this problem? Any suggestions? Can you paste your policy file somewhere? Did you restart the keystone service after changing your policy? Can you provide your exactly openstack command line arguments and/or the rc file you sourced into your shell environment before running openstack? Thanks Amy -- Best regards, Amy (Yun Zhang) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Kilo v3 identity problems
The command requires a domain scoped token. Did you set the environment variable so that OSC uses a domain scoped token? This can be done by providing OS_DOMAIN_NAME instead of OS_PROJECT_NAME. -Lin On Wed, Jun 3, 2015 at 9:29 AM, Amy Zhang wrote: > Hi guys, > > I have installed Kilo and try to use identity v3. I am using v3 policy > file. I changed the domain_id for cloud admin as "default". As cloud admin, > I tried "openstack domain list" and got the error message saying that I was > not authorized. > > The part I changed in policy.json: > > "cloud_admin": "rule:admin_required and domain_id:default", > > > The error I got from "openstack domain list": > > ERROR: openstack You are not authorized to perform the requested action: > identity:create_domain (Disable debug mode to suppress these details.) > (HTTP 403) (Request-ID: req-2f42b1da-9933-4494-9b39-c1664d154377) > > Has anyone tried identity v3 in Kilo? Did you have this problem? Any > suggestions? > > Thanks > Amy > -- > Best regards, > Amy (Yun Zhang) > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Kilo v3 identity problems
I assume that by "v3 policy file" you're specifically referring to: https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.v3cloudsample.json Which essentially illustrates enforcement of a much more powerful authorization model than most deployers are familiar with today. You'll need to create and consume a domain-based role assignment, for example (do you have a role assigned to your user on the "default" domain? Are you accessing "openstack domain list" with a domain-scoped token?). Unless you're ready to experiment with that new policy model, the default policy file is also designed for v3 and it's behavior is probably what you're expecting: https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.json Perhaps "policy.v3cloudsample.json" is poorly named if it implies that it's somehow a pre-requisite to getting started with the v3 API? On Wed, Jun 3, 2015 at 11:29 AM, Amy Zhang wrote: > Hi guys, > > I have installed Kilo and try to use identity v3. I am using v3 policy > file. I changed the domain_id for cloud admin as "default". As cloud admin, > I tried "openstack domain list" and got the error message saying that I was > not authorized. > > The part I changed in policy.json: > > "cloud_admin": "rule:admin_required and domain_id:default", > > > The error I got from "openstack domain list": > > ERROR: openstack You are not authorized to perform the requested action: > identity:create_domain (Disable debug mode to suppress these details.) > (HTTP 403) (Request-ID: req-2f42b1da-9933-4494-9b39-c1664d154377) > > Has anyone tried identity v3 in Kilo? Did you have this problem? Any > suggestions? > > Thanks > Amy > -- > Best regards, > Amy (Yun Zhang) > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Kilo v3 identity problems
Dolph Mathews wrote on 06/03/2015 02:16:55 PM: > From: Dolph Mathews > To: "OpenStack Development Mailing List (not for usage questions)" > > Date: 06/03/2015 02:17 PM > Subject: Re: [openstack-dev] Kilo v3 identity problems > > I assume that by "v3 policy file" you're specifically referring to: > > https://github.com/openstack/keystone/blob/ > f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.v3cloudsample.json > > Which essentially illustrates enforcement of a much more powerful > authorization model than most deployers are familiar with today. > You'll need to create and consume a domain-based role assignment, > for example (do you have a role assigned to your user on the > "default" domain? Are you accessing "openstack domain list" with a > domain-scoped token?). > > Unless you're ready to experiment with that new policy model, the > default policy file is also designed for v3 and it's behavior is > probably what you're expecting: > > https://github.com/openstack/keystone/blob/ > f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.json > > Perhaps "policy.v3cloudsample.json" is poorly named if it implies > that it's somehow a pre-requisite to getting started with the v3 API? ++ I think so, I've had to field many questions and comments about folks using this file when they really just need the "usual" one. Steve Martinelli OpenStack Keystone Core__ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Kilo v3 identity problems
questions)" < > openstack-dev@lists.openstack.org> > > > I assume that by "v3 policy file" you're specifically referring to: > > > https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.v3cloudsample.json > > Which essentially illustrates enforcement of a much more powerful > authorization model than most deployers are familiar with today. You'll > need to create and consume a domain-based role assignment, for example (do > you have a role assigned to your user on the "default" domain? Are you > accessing "openstack domain list" with a domain-scoped token?). > > Unless you're ready to experiment with that new policy model, the default > policy file is also designed for v3 and it's behavior is probably what > you're expecting: > > > https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.json > > Perhaps "policy.v3cloudsample.json" is poorly named if it implies that > it's somehow a pre-requisite to getting started with the v3 API? > > __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > ______________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > -- > From: *Steve Martinelli* > Date: Wed, Jun 3, 2015 at 2:20 PM > To: "OpenStack Development Mailing List (not for usage questions)" < > openstack-dev@lists.openstack.org> > > > Dolph Mathews wrote on 06/03/2015 02:16:55 PM: > > > From: Dolph Mathews > > To: "OpenStack Development Mailing List (not for usage questions)" > > > > Date: 06/03/2015 02:17 PM > > Subject: Re: [openstack-dev] Kilo v3 identity problems > > > > I assume that by "v3 policy file" you're specifically referring to: > > > > https://github.com/openstack/keystone/blob/ > > f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.v3cloudsample.json > > > > Which essentially illustrates enforcement of a much more powerful > > authorization model than most deployers are familiar with today. > > You'll need to create and consume a domain-based role assignment, > > for example (do you have a role assigned to your user on the > > "default" domain? Are you accessing "openstack domain list" with a > > domain-scoped token?). > > > > Unless you're ready to experiment with that new policy model, the > > default policy file is also designed for v3 and it's behavior is > > probably what you're expecting: > > > > https://github.com/openstack/keystone/blob/ > > f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.json > > > > Perhaps "policy.v3cloudsample.json" is poorly named if it implies > > that it's somehow a pre-requisite to getting started with the v3 API? > > ++ I think so, I've had to field many questions and comments about folks > using this file when they > really just need the "usual" one. > > Steve Martinelli > OpenStack Keystone Core > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > -- Best regards, Amy (Yun Zhang) __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
