+1 on moving the domain admin role rules to the default policy.json -David Lyle
From: Dolph Mathews [mailto:[email protected]] Sent: Wednesday, December 11, 2013 9:04 AM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [keystone] domain admin role query On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <[email protected]> wrote: Using the default policies it will simply check for the admin role and not care about the domain that admin is limited to. This is partially a left over from the V2 api when there wasn't domains to worry > about. A better example of policies are in the file etc/policy.v3cloudsample.json. In there you will see the rule for create_project is: "identity:create_project": "rule:admin_required and domain_id:%(project.domain_id)s", as opposed to (in policy.json): "identity:create_project": "rule:admin_required", This is what you are looking for to scope the admin role to a domain. We need to start moving the rules from policy.v3cloudsample.json to the default policy.json =) Jamie ----- Original Message ----- > From: "Ravi Chunduru" <[email protected]> > To: "OpenStack Development Mailing List" <[email protected]> > Sent: Wednesday, 11 December, 2013 11:23:15 AM > Subject: [openstack-dev] [keystone] domain admin role query > > Hi, > I am trying out Keystone V3 APIs and domains. > I created an domain, created a project in that domain, created an user in > that domain and project. > Next, gave an admin role for that user in that domain. > > I am assuming that user is now admin to that domain. > Now, I got a scoped token with that user, domain and project. With that > token, I tried to create a new project in that domain. It worked. > > But, using the same token, I could also create a new project in a 'default' > domain too. I expected it should throw authentication error. Is it a bug? > > Thanks, > -- > Ravi > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
