Re: [Openstack] Projects deals tricky job

2016-06-27 Thread Eugen Block 
Thanks for the information, I'll definitely get to it. But right now  
I'm having some trouble with domain_id in the keystone_policy.json. I  
believe I'm also affected by this bug  
https://bugs.launchpad.net/python-openstackclient/+bug/1538804


I switched to the stable/liberty policy.v3cloudsample.json because the  
value for "token.is_admin_project:True or domain_id:admin_domain_id"  
lead to errors in authentication. Using "rule:admin_required and  
domain_id:default" works if I use Horizon (I see the output in  
keystone.log), but it fails to authenticate while using CLI because  
for some reason "domain_id" is never read by the client.

As a workaround I changed the rule to

"cloud_admin": "rule:admin_required and (domain_id:default or  
user_domain_id:default)"


that seems to work fine, and I already tried it with user_id instead  
of domain_id, but I can't predict the consequences. What is the  
recommendation here until the CLI client will be able to read domain_id?


Regards,
Eugen


Zitat von Timothy Symanczyk :


We implemented something here at Symantec that sounds very similar to what
you¹re both talking about. We have three levels of Admin - Cloud, Domain,
and Project. If you¹re interested in checking it out, we actually
presented on this topic in Austin.

The presentation : https://www.youtube.com/watch?v=v79kNddKbLc

All the referenced files can be found in our github here :
https://github.com/Symantec/Openstack_RBAC

Specifically you may want to check out our keystone policy file that
defines cloud_admin domain_admin and project_admin :
https://github.com/Symantec/Openstack_RBAC/blob/master/keystone/policy.json

Tim

On 6/20/16, 5:17 AM, "Eugen Block"  wrote:


I believe you are trying to accomplish the same configuration as I do,
so I think domains are the answer. You can devide your cloud into
different domains and grant admin rights to specific users, which are
not authorized to see the other domains. Although I'm still not sure
if I did it correctly and it's not fully resolved yet, here is a
thread I started a few days ago:

http://lists.openstack.org/pipermail/openstack/2016-June/016454.html

Regards,
Eugen

Zitat von Venkatesh Kotipalli :


Hi Folks,

Is it possible to create a project admin in openstack.

As we identified when ever we created a project admin it will show
entire
cloud (Like : other users and all services completely admin access).
but i
want to see the particular project users,admins and control all the
services.

Guys please help me this part. I am really very confused.

Regards,
Venkatesh.k




--
Eugen Block voice   : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG  fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail  : ebl...@nde.ag

Vorsitzende des Aufsichtsrates: Angelika Mozdzen
  Sitz und Registergericht: Hamburg, HRB 90934
  Vorstand: Jens-U. Mozdzen
   USt-IdNr. DE 814 013 983


___
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack




--
Eugen Block voice   : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG  fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail  : ebl...@nde.ag

Vorsitzende des Aufsichtsrates: Angelika Mozdzen
  Sitz und Registergericht: Hamburg, HRB 90934
  Vorstand: Jens-U. Mozdzen
   USt-IdNr. DE 814 013 983


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Projects deals tricky job

2016-06-21 Thread Timothy Symanczyk 
We implemented something here at Symantec that sounds very similar to what
you¹re both talking about. We have three levels of Admin - Cloud, Domain,
and Project. If you¹re interested in checking it out, we actually
presented on this topic in Austin.

The presentation : https://www.youtube.com/watch?v=v79kNddKbLc

All the referenced files can be found in our github here :
https://github.com/Symantec/Openstack_RBAC

Specifically you may want to check out our keystone policy file that
defines cloud_admin domain_admin and project_admin :
https://github.com/Symantec/Openstack_RBAC/blob/master/keystone/policy.json

Tim

On 6/20/16, 5:17 AM, "Eugen Block"  wrote:

>I believe you are trying to accomplish the same configuration as I do,
>so I think domains are the answer. You can devide your cloud into
>different domains and grant admin rights to specific users, which are
>not authorized to see the other domains. Although I'm still not sure
>if I did it correctly and it's not fully resolved yet, here is a
>thread I started a few days ago:
>
>http://lists.openstack.org/pipermail/openstack/2016-June/016454.html
>
>Regards,
>Eugen
>
>Zitat von Venkatesh Kotipalli :
>
>> Hi Folks,
>>
>> Is it possible to create a project admin in openstack.
>>
>> As we identified when ever we created a project admin it will show
>>entire
>> cloud (Like : other users and all services completely admin access).
>>but i
>> want to see the particular project users,admins and control all the
>> services.
>>
>> Guys please help me this part. I am really very confused.
>>
>> Regards,
>> Venkatesh.k
>
>
>
>-- 
>Eugen Block voice   : +49-40-559 51 75
>NDE Netzdesign und -entwicklung AG  fax : +49-40-559 51 77
>Postfach 61 03 15
>D-22423 Hamburg e-mail  : ebl...@nde.ag
>
> Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>   Sitz und Registergericht: Hamburg, HRB 90934
>   Vorstand: Jens-U. Mozdzen
>USt-IdNr. DE 814 013 983
>
>
>___
>Mailing list: 
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>Post to : openstack@lists.openstack.org
>Unsubscribe : 
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Projects deals tricky job

2016-06-20 Thread Pablo Iranzo Gómez 


That's HMT or 'reseller use case', you can implement something similar
by using 'flat hierarchies', but by default, as you experienced, any
admin, even if under a tenant, is an admin of the whole
infrastructure.

Regards,
Pablo

+++ Venkatesh Kotipalli [20/06/16 17:05 +0530]:

Hi Folks,

Is it possible to create a project admin in openstack.

As we identified when ever we created a project admin it will show entire
cloud (Like : other users and all services completely admin access). but i
want to see the particular project users,admins and control all the
services.

Guys please help me this part. I am really very confused.

Regards,
Venkatesh.k



___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



--

Pablo Iranzo Gómez (pablo.ira...@redhat.com)  GnuPG: 0x5BD8E1E4
Senior Technical Account Manager
RHC{A,SS,DS,VA,E,SA,SP,AOSP}, JBCAA  #110-215-852   
 


signature.asc
Description: PGP signature
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Re: [Openstack] Projects deals tricky job

2016-06-20 Thread Eugen Block 
I believe you are trying to accomplish the same configuration as I do,  
so I think domains are the answer. You can devide your cloud into  
different domains and grant admin rights to specific users, which are  
not authorized to see the other domains. Although I'm still not sure  
if I did it correctly and it's not fully resolved yet, here is a  
thread I started a few days ago:


http://lists.openstack.org/pipermail/openstack/2016-June/016454.html

Regards,
Eugen

Zitat von Venkatesh Kotipalli :


Hi Folks,

Is it possible to create a project admin in openstack.

As we identified when ever we created a project admin it will show entire
cloud (Like : other users and all services completely admin access). but i
want to see the particular project users,admins and control all the
services.

Guys please help me this part. I am really very confused.

Regards,
Venkatesh.k




--
Eugen Block voice   : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG  fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail  : ebl...@nde.ag

Vorsitzende des Aufsichtsrates: Angelika Mozdzen
  Sitz und Registergericht: Hamburg, HRB 90934
  Vorstand: Jens-U. Mozdzen
   USt-IdNr. DE 814 013 983


___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

[Openstack] Projects deals tricky job

2016-06-20 Thread Venkatesh Kotipalli 
Hi Folks,

Is it possible to create a project admin in openstack.

As we identified when ever we created a project admin it will show entire
cloud (Like : other users and all services completely admin access). but i
want to see the particular project users,admins and control all the
services.

Guys please help me this part. I am really very confused.

Regards,
Venkatesh.k
___
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack