Re: [Openstack] [Keystone] List group members with policy.v3cloudsample.json

2016-08-08 Thread
the > right credentials for (user)domain scope? I had my share with them a > couple of times... > > > Zitat von 林自均 : > > > Hi Eugen, > > > > I have no problem with the cloud admin, so I guess your workaround > doesn't > > work for me. What dis

Re: [Openstack] [Keystone] List group members with policy.v3cloudsample.json

2016-08-04 Thread
min": "rule:admin_required and (domain_id:default or > user_domain_id:default)", > ---cut here--- > > And I added it as an OR statement as a workaround to keep the original > statement. Hope this helps! > > Regards, > Eugen > > [1] http://lists.openstack.o

[Openstack] [Keystone] List group members with policy.v3cloudsample.json

2016-08-03 Thread
Hi all, My OpenStack version is Mitaka. I updated my /etc/keystone/policy.json to policy.v3cloudsample.json . Most functions works as expected. However, when I wanted to list members in a group as a domain admin, an

Re: [Openstack] [Keystone] Why not OAuth 2.0 provider?

2016-06-28 Thread
keystone, we have trusts and oauth1.0; > should an enticing use case arise to include another, then we can revisit > the discussion. > > [1] https://hueniverse.com/2012/07/26/oauth-2-0-and-the-road-to-hell/ > [2] https://en.wikipedia.org/wiki/List_of_OAuth_providers > > On Mon,

[Openstack] [Keystone] Why not OAuth 2.0 provider?

2016-06-27 Thread
Hi all, When I am searching for OAuth provider in Keystone, I found only OAuth 1.0. I am a little bit curious about the decision of 1.0 over 2.0. I failed to see the reason in the documentation and thi

Re: [Openstack] [Keystone] Source IP address in tokens

2016-06-27 Thread
more widely used. What’s the > best approach for Keystone, however, is not going to be simple to pin down. > > > > --Craig > > > > *From:* Morgan Fainberg [mailto:morgan.fainb...@gmail.com] > *Sent:* Sunday, June 26, 2016 11:11 PM > *To:* 林自均 > *Cc:* opensta

Re: [Openstack] [Keystone] Source IP address in tokens

2016-06-27 Thread
and passwords too often. Let's say if I want to provide a "Remember me for 30 days" checkbox, is there a better way other than setting the life span of tokens to 30 days? John Morgan Fainberg 於 2016年6月27日 週一 下午2:11寫道: > > On Jun 26, 2016 19:39, "林自均" wrote: > >

[Openstack] [Keystone] Source IP address in tokens

2016-06-26 Thread
Hi all, I have the following scenario: 1. On client machine A, a user obtains an auth token with a username and password. 2. The user can use the auth token to do operations on client machine A. 3. A thief steals the auth token, and do operations on client machine B. Can Keystone check the auth