Thanks Dolph, It worked now. I specified domain id in the scope. -Ravi.
On Wed, Dec 18, 2013 at 12:05 PM, Ravi Chunduru <[email protected]> wrote: > Hi Dolph, > I dont have project yet to use in the scope. The intention is to get a > token using domain admin credentials and create project using it. > > Thanks, > -Ravi. > > > On Wed, Dec 18, 2013 at 11:39 AM, Dolph Mathews > <[email protected]>wrote: > >> >> On Wed, Dec 18, 2013 at 12:48 PM, Ravi Chunduru <[email protected]>wrote: >> >>> Thanks all for the information. >>> I have now v3 policies in place, the issue is that as a domain admin I >>> could not create a project in the domain. I get 403 unauthorized status. >>> >>> I see that when as a 'domain admin' request a token, the response did >>> not have any roles. In the token request, I couldnt specify the project - >>> as we are about to create the project in next step. >>> >> >> Specify a domain as the "scope" to obtain domain-level authorization in >> the resulting token. >> >> See the third example under Scope: >> >> >> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md#scope-scope >> >> >>> >>> Here is the complete request/response of all the steps done. >>> https://gist.github.com/kumarcv/8015275 >>> >>> I am assuming its a bug. Please let me know your opinions. >>> >>> Thanks, >>> -Ravi. >>> >>> >>> >>> >>> On Thu, Dec 12, 2013 at 3:00 PM, Henry Nash >>> <[email protected]>wrote: >>> >>>> Hi >>>> >>>> So the idea wasn't the you create a domain with the id of >>>> 'domain_admin_id', rather that you create the domain that you plan to use >>>> for your admin domain, and then paste its (auto-generated) domain_id into >>>> the policy file. >>>> >>>> Henry >>>> On 12 Dec 2013, at 03:11, Paul Belanger <[email protected]> >>>> wrote: >>>> >>>> > On 13-12-11 11:18 AM, Lyle, David wrote: >>>> >> +1 on moving the domain admin role rules to the default policy.json >>>> >> >>>> >> -David Lyle >>>> >> >>>> >> From: Dolph Mathews [mailto:[email protected]] >>>> >> Sent: Wednesday, December 11, 2013 9:04 AM >>>> >> To: OpenStack Development Mailing List (not for usage questions) >>>> >> Subject: Re: [openstack-dev] [keystone] domain admin role query >>>> >> >>>> >> >>>> >> On Tue, Dec 10, 2013 at 10:49 PM, Jamie Lennox < >>>> [email protected]> wrote: >>>> >> Using the default policies it will simply check for the admin role >>>> and not care about the domain that admin is limited to. This is partially a >>>> left over from the V2 api when there wasn't domains to worry > about. >>>> >> >>>> >> A better example of policies are in the file >>>> etc/policy.v3cloudsample.json. In there you will see the rule for >>>> create_project is: >>>> >> >>>> >> "identity:create_project": "rule:admin_required and >>>> domain_id:%(project.domain_id)s", >>>> >> >>>> >> as opposed to (in policy.json): >>>> >> >>>> >> "identity:create_project": "rule:admin_required", >>>> >> >>>> >> This is what you are looking for to scope the admin role to a domain. >>>> >> >>>> >> We need to start moving the rules from policy.v3cloudsample.json to >>>> the default policy.json =) >>>> >> >>>> >> >>>> >> Jamie >>>> >> >>>> >> ----- Original Message ----- >>>> >>> From: "Ravi Chunduru" <[email protected]> >>>> >>> To: "OpenStack Development Mailing List" < >>>> [email protected]> >>>> >>> Sent: Wednesday, 11 December, 2013 11:23:15 AM >>>> >>> Subject: [openstack-dev] [keystone] domain admin role query >>>> >>> >>>> >>> Hi, >>>> >>> I am trying out Keystone V3 APIs and domains. >>>> >>> I created an domain, created a project in that domain, created an >>>> user in >>>> >>> that domain and project. >>>> >>> Next, gave an admin role for that user in that domain. >>>> >>> >>>> >>> I am assuming that user is now admin to that domain. >>>> >>> Now, I got a scoped token with that user, domain and project. With >>>> that >>>> >>> token, I tried to create a new project in that domain. It worked. >>>> >>> >>>> >>> But, using the same token, I could also create a new project in a >>>> 'default' >>>> >>> domain too. I expected it should throw authentication error. Is it >>>> a bug? >>>> >>> >>>> >>> Thanks, >>>> >>> -- >>>> >>> Ravi >>>> >>> >>>> > >>>> > One of the issues I had this week while using the >>>> policy.v3cloudsample.json was I had no easy way of creating a domain with >>>> the id of 'admin_domain_id'. I basically had to modify the SQL directly to >>>> do it. >>>> > >>>> > Any chance we can create a 2nd domain using 'admin_domain_id' via >>>> keystone-manage sync_db? >>>> > >>>> > -- >>>> > Paul Belanger | PolyBeacon, Inc. >>>> > Jabber: [email protected] | IRC: pabelanger (Freenode) >>>> > Github: https://github.com/pabelanger | Twitter: >>>> https://twitter.com/pabelanger >>>> > >>>> > _______________________________________________ >>>> > OpenStack-dev mailing list >>>> > [email protected] >>>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> > >>>> >>>> >>>> _______________________________________________ >>>> OpenStack-dev mailing list >>>> [email protected] >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>>> >>> >>> >>> -- >>> Ravi >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> [email protected] >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >> >> >> -- >> >> -Dolph >> >> _______________________________________________ >> OpenStack-dev mailing list >> [email protected] >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > > -- > Ravi > -- Ravi
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
