On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <[email protected]>wrote:
> Using the default policies it will simply check for the admin role and not > care about the domain that admin is limited to. This is partially a left > over from the V2 api when there wasn't domains to worry about. > > A better example of policies are in the file > etc/policy.v3cloudsample.json. In there you will see the rule for > create_project is: > > "identity:create_project": "rule:admin_required and > domain_id:%(project.domain_id)s", > > as opposed to (in policy.json): > > "identity:create_project": "rule:admin_required", > > This is what you are looking for to scope the admin role to a domain. > > We need to start moving the rules from policy.v3cloudsample.json to the default policy.json =) > > Jamie > > ----- Original Message ----- > > From: "Ravi Chunduru" <[email protected]> > > To: "OpenStack Development Mailing List" < > [email protected]> > > Sent: Wednesday, 11 December, 2013 11:23:15 AM > > Subject: [openstack-dev] [keystone] domain admin role query > > > > Hi, > > I am trying out Keystone V3 APIs and domains. > > I created an domain, created a project in that domain, created an user in > > that domain and project. > > Next, gave an admin role for that user in that domain. > > > > I am assuming that user is now admin to that domain. > > Now, I got a scoped token with that user, domain and project. With that > > token, I tried to create a new project in that domain. It worked. > > > > But, using the same token, I could also create a new project in a > 'default' > > domain too. I expected it should throw authentication error. Is it a bug? > > > > Thanks, > > -- > > Ravi > > > > _______________________________________________ > > OpenStack-dev mailing list > > [email protected] > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- -Dolph
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
