For these kinds of operations, you use role assignment inheritance. Do not attempt to enforce policy on parent project ID.
I wrote up an article about this about a year back. CloudForms is just the consumer, but the rules are the same. https://adam.younglogic.com/2018/02/openstack-hmt-cloudforms/ ** Changed in: keystone Status: New => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1842397 Title: Possibility for project level roles ? Status in OpenStack Identity (keystone): Invalid Bug description: Hi Team, I want to create project level roles, where this role should allow granting child-project management permissions to a user. It should allow a bearer of the role to create, update and list child-projects underneath a common parent project (the role-assignment of the user would be attached to the parent project). i added the below to policy.json "admin_and_matching_parent_project_id": "rule:admin_required and domain_id:%(project.domain_id)s and parent_id:%(project.parent_id)s", "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id or rule:admin_and_matching_parent_project_id or role:project_admin", Below are my concerns: 1. the user should be part of admin project ? else i get The request you have made requires authentication. (HTTP 401) 2. How to restrict project creation to a specific parent project ? Does it work in production ? Do i create a parent_project_id column as mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1235222 https://specs.openstack.org/openstack/keystone-specs/specs/juno/hierarchical_multitenancy.html Any suggestions how to fix the above ? Regards, Rajiv To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1842397/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
