On Wed, Dec 18, 2013 at 12:48 PM, Ravi Chunduru <ravi...@gmail.com> wrote:
> Thanks all for the information. > I have now v3 policies in place, the issue is that as a domain admin I > could not create a project in the domain. I get 403 unauthorized status. > > I see that when as a 'domain admin' request a token, the response did not > have any roles. In the token request, I couldnt specify the project - as > we are about to create the project in next step. > Specify a domain as the "scope" to obtain domain-level authorization in the resulting token. See the third example under Scope: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#scope-scope > > Here is the complete request/response of all the steps done. > https://gist.github.com/kumarcv/8015275 > > I am assuming its a bug. Please let me know your opinions. > > Thanks, > -Ravi. > > > > > On Thu, Dec 12, 2013 at 3:00 PM, Henry Nash <hen...@linux.vnet.ibm.com>wrote: > >> Hi >> >> So the idea wasn't the you create a domain with the id of >> 'domain_admin_id', rather that you create the domain that you plan to use >> for your admin domain, and then paste its (auto-generated) domain_id into >> the policy file. >> >> Henry >> On 12 Dec 2013, at 03:11, Paul Belanger <paul.belan...@polybeacon.com> >> wrote: >> >> > On 13-12-11 11:18 AM, Lyle, David wrote: >> >> +1 on moving the domain admin role rules to the default policy.json >> >> >> >> -David Lyle >> >> >> >> From: Dolph Mathews [mailto:dolph.math...@gmail.com] >> >> Sent: Wednesday, December 11, 2013 9:04 AM >> >> To: OpenStack Development Mailing List (not for usage questions) >> >> Subject: Re: [openstack-dev] [keystone] domain admin role query >> >> >> >> >> >> On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox <jamielen...@redhat.com> >> wrote: >> >> Using the default policies it will simply check for the admin role and >> not care about the domain that admin is limited to. This is partially a >> left over from the V2 api when there wasn't domains to worry > about. >> >> >> >> A better example of policies are in the file >> etc/policy.v3cloudsample.json. In there you will see the rule for >> create_project is: >> >> >> >> "identity:create_project": "rule:admin_required and >> domain_id:%(project.domain_id)s", >> >> >> >> as opposed to (in policy.json): >> >> >> >> "identity:create_project": "rule:admin_required", >> >> >> >> This is what you are looking for to scope the admin role to a domain. >> >> >> >> We need to start moving the rules from policy.v3cloudsample.json to >> the default policy.json =) >> >> >> >> >> >> Jamie >> >> >> >> ----- Original Message ----- >> >>> From: "Ravi Chunduru" <ravi...@gmail.com> >> >>> To: "OpenStack Development Mailing List" < >> openstack-dev@lists.openstack.org> >> >>> Sent: Wednesday, 11 December, 2013 11:23:15 AM >> >>> Subject: [openstack-dev] [keystone] domain admin role query >> >>> >> >>> Hi, >> >>> I am trying out Keystone V3 APIs and domains. >> >>> I created an domain, created a project in that domain, created an >> user in >> >>> that domain and project. >> >>> Next, gave an admin role for that user in that domain. >> >>> >> >>> I am assuming that user is now admin to that domain. >> >>> Now, I got a scoped token with that user, domain and project. With >> that >> >>> token, I tried to create a new project in that domain. It worked. >> >>> >> >>> But, using the same token, I could also create a new project in a >> 'default' >> >>> domain too. I expected it should throw authentication error. Is it a >> bug? >> >>> >> >>> Thanks, >> >>> -- >> >>> Ravi >> >>> >> > >> > One of the issues I had this week while using the >> policy.v3cloudsample.json was I had no easy way of creating a domain with >> the id of 'admin_domain_id'. I basically had to modify the SQL directly to >> do it. >> > >> > Any chance we can create a 2nd domain using 'admin_domain_id' via >> keystone-manage sync_db? >> > >> > -- >> > Paul Belanger | PolyBeacon, Inc. >> > Jabber: paul.belan...@polybeacon.com | IRC: pabelanger (Freenode) >> > Github: https://github.com/pabelanger | Twitter: >> https://twitter.com/pabelanger >> > >> > _______________________________________________ >> > OpenStack-dev mailing list >> > OpenStack-dev@lists.openstack.org >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >> >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > > -- > Ravi > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- -Dolph
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev