Hi So the idea wasn't the you create a domain with the id of 'domain_admin_id', rather that you create the domain that you plan to use for your admin domain, and then paste its (auto-generated) domain_id into the policy file.
Henry On 12 Dec 2013, at 03:11, Paul Belanger <[email protected]> wrote: > On 13-12-11 11:18 AM, Lyle, David wrote: >> +1 on moving the domain admin role rules to the default policy.json >> >> -David Lyle >> >> From: Dolph Mathews [mailto:[email protected]] >> Sent: Wednesday, December 11, 2013 9:04 AM >> To: OpenStack Development Mailing List (not for usage questions) >> Subject: Re: [openstack-dev] [keystone] domain admin role query >> >> >> On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <[email protected]> >> wrote: >> Using the default policies it will simply check for the admin role and not >> care about the domain that admin is limited to. This is partially a left >> over from the V2 api when there wasn't domains to worry > about. >> >> A better example of policies are in the file etc/policy.v3cloudsample.json. >> In there you will see the rule for create_project is: >> >> "identity:create_project": "rule:admin_required and >> domain_id:%(project.domain_id)s", >> >> as opposed to (in policy.json): >> >> "identity:create_project": "rule:admin_required", >> >> This is what you are looking for to scope the admin role to a domain. >> >> We need to start moving the rules from policy.v3cloudsample.json to the >> default policy.json =) >> >> >> Jamie >> >> ----- Original Message ----- >>> From: "Ravi Chunduru" <[email protected]> >>> To: "OpenStack Development Mailing List" <[email protected]> >>> Sent: Wednesday, 11 December, 2013 11:23:15 AM >>> Subject: [openstack-dev] [keystone] domain admin role query >>> >>> Hi, >>> I am trying out Keystone V3 APIs and domains. >>> I created an domain, created a project in that domain, created an user in >>> that domain and project. >>> Next, gave an admin role for that user in that domain. >>> >>> I am assuming that user is now admin to that domain. >>> Now, I got a scoped token with that user, domain and project. With that >>> token, I tried to create a new project in that domain. It worked. >>> >>> But, using the same token, I could also create a new project in a 'default' >>> domain too. I expected it should throw authentication error. Is it a bug? >>> >>> Thanks, >>> -- >>> Ravi >>> > > One of the issues I had this week while using the policy.v3cloudsample.json > was I had no easy way of creating a domain with the id of 'admin_domain_id'. > I basically had to modify the SQL directly to do it. > > Any chance we can create a 2nd domain using 'admin_domain_id' via > keystone-manage sync_db? > > -- > Paul Belanger | PolyBeacon, Inc. > Jabber: [email protected] | IRC: pabelanger (Freenode) > Github: https://github.com/pabelanger | Twitter: > https://twitter.com/pabelanger > > _______________________________________________ > OpenStack-dev mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
