Keystone: different domain to control access

asked 2017-05-26 09:53:28 -0500

doka.ua gravatar image

Hi colleagues,

while trying to use different domains, I see something that totally breaks the idea of domains itself. It seems I'm missing something important and will appreciate if anybody will point me where I'm wrong.

Well:

1) I created domain, user and assign 'admin' role to the user in the domain

openstack domain create devtest --enable
openstack user create gab --domain devtest --password xxxx --enable
openstack role add admin --user gab --domain devtest
openstack project create admin --domain devtest
openstack role add admin --project-domain devtest --project admin --user gab

2) created corresponding ENV variables for openstack client

export OS_USERNAME=gab
export OS_PASSWORD=xxxxxxxxx
export OS_PROJECT_NAME=admin
export OS_REGION_NAME='RegionOne'
export OS_USER_DOMAIN_NAME=devtest
export OS_PROJECT_DOMAIN_NAME=devtest
export OS_DEFAULT_DOMAIN=devtest
export OS_AUTH_STRATEGY='keystone'
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_INTERFACE=internal

and then, using these settings, I'm able

  • - to look at things in 'default' project, e.g. 'openstack user list' shows me an entire list of users incl ones in 'default' project
  • - to create users and projects in domain 'default'
  • - to delete users and project in domain 'default' even if these entities created by another user, e.g.

    admin@default $ openstack project create asd --domain default
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description |                                  |
    | domain_id   | default                          |
    | enabled     | True                             |
    | id          | 0d36824bbead4b08a90b6fa29329ae54 |
    | is_domain   | False                            |
    | name        | asd                              |
    | parent_id   | default                          |
    +-------------+----------------------------------+
    
    gab@devtest $ openstack project list
    +----------------------------------+--------+
    | ID                               | Name   |
    +----------------------------------+--------+
    | 0d36824bbead4b08a90b6fa29329ae54 | asd    |
    | 795504a0e45346d7ba0a016de877e725 | admin  |
    | d4746831c856400b84e79f5eb340e8bf | admin  |
    +----------------------------------+--------+
    
    gab@devtest $ openstack project delete asd
    gab@devtest $ [... it's ok ...]
    

    and so on.

    So, the basic idea of administrative separation don't work in my environment - 'admin' user can do anything in other domains, while I want to have complete separation (admin in devtest don't have any access to another domains). How to achieve this?

    Thank you.

  • edit retag flag offensive close merge delete