Keystone: different domain to control access
Hi colleagues,
while trying to use different domains, I see something that totally breaks the idea of domains itself. It seems I'm missing something important and will appreciate if anybody will point me where I'm wrong.
Well:
1) I created domain, user and assign 'admin' role to the user in the domain
openstack domain create devtest --enable
openstack user create gab --domain devtest --password xxxx --enable
openstack role add admin --user gab --domain devtest
openstack project create admin --domain devtest
openstack role add admin --project-domain devtest --project admin --user gab
2) created corresponding ENV variables for openstack client
export OS_USERNAME=gab
export OS_PASSWORD=xxxxxxxxx
export OS_PROJECT_NAME=admin
export OS_REGION_NAME='RegionOne'
export OS_USER_DOMAIN_NAME=devtest
export OS_PROJECT_DOMAIN_NAME=devtest
export OS_DEFAULT_DOMAIN=devtest
export OS_AUTH_STRATEGY='keystone'
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_INTERFACE=internal
and then, using these settings, I'm able
admin@default $ openstack project create asd --domain default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | | | domain_id | default | | enabled | True | | id | 0d36824bbead4b08a90b6fa29329ae54 | | is_domain | False | | name | asd | | parent_id | default | +-------------+----------------------------------+ gab@devtest $ openstack project list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | 0d36824bbead4b08a90b6fa29329ae54 | asd | | 795504a0e45346d7ba0a016de877e725 | admin | | d4746831c856400b84e79f5eb340e8bf | admin | +----------------------------------+--------+ gab@devtest $ openstack project delete asd gab@devtest $ [... it's ok ...]
and so on.
So, the basic idea of administrative separation don't work in my environment - 'admin' user can do anything in other domains, while I want to have complete separation (admin in devtest don't have any access to another domains). How to achieve this?
Thank you.