Ask Your Question
0

Admin role is global in scope after it is assigned

asked 2017-10-23 13:52:05 -0500

mike_gray gravatar image

team,

I am new to openstack, i am facing one issue with our vio stack. we have multiple tenants/projects in our stack . but when i assign admin role to one user for a specific project , the same user able to edit other project as well. we have only one domain hence i wont we able to restrict admin boundaries using separate domain. I would like to assign admin user per project .

Can someone please guide me here

edit retag flag offensive close merge delete

Comments

The admin role is, in principle, able to perform cloud-global tasks like managing projects, users, external networks etc. Domain admins are limited to work on users, groups and projects in a domain, nothing else. There is no such thing as a project admin. What is your "project admin" supposed to do?

Bernd Bausch gravatar imageBernd Bausch ( 2017-10-24 17:58:32 -0500 )edit

Generally, you change user privileges by modifying policies. Depending on the particular requirements of your "project admin" role, that may be possible.

Bernd Bausch gravatar imageBernd Bausch ( 2017-10-24 18:00:30 -0500 )edit

1 answer

Sort by ยป oldest newest most voted
0

answered 2017-11-29 10:22:48 -0500

dcreno gravatar image

Mike,

I think this may be related to this bug: https://bugs.launchpad.net/oslo.polic...

I tried fixing according to the patch but couldn't get it to work for Mitaka. I ended up addressing this by editing the keystone policy.json file like this (replace with your specific IDs):

"admin_domain_admin_user": "user_id:cb225fdec10b492f934c242d481e0a1d",
"OS_admin": "role:Admin and domain_id:d2649e20f18d47f6a287d15a88b23541",
"cloud_admin": "rule:admin_domain_admin_user or rule:OS_admin",

I have a domain just for my openstack adminstrators with the id in the OS_admin rule. The first rule is the admin user in the admin_domain. The cloud_admin rule now just establishes the "built-in" admin account or my administrators in a unique domain as a cloud_admin.

Hope this helps, David Reno

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2017-10-23 13:52:05 -0500

Seen: 385 times

Last updated: Nov 29 '17