Ask Your Question
0

Project Admin

asked 2018-08-06 14:34:44 -0500

Mrxlazuardin gravatar image

Hi,

I have put following update on /etc/openstack-dashboard/keystone_policy.json and /etc/keystone/policy.json.

{
    "project_admin": "role:project-admin and project_id:%(target.project.id)s",
    "identity:get_user": "rule:admin_or_owner or rule:project_admin",
    "identity:list_users": "rule:admin_required or rule:project_admin",
    "identity:create_user": "rule:admin_required or rule:project_admin",
    "identity:update_user": "rule:admin_required or rule:project_admin",
    "identity:delete_user": "rule:admin_required or rule:project_admin"
}

But the user with project-admin role still cannot see his own project users and cannot create other users for that project. What have I missed?

Best regards,

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2018-08-06 18:31:14 -0500

Bernd Bausch gravatar image

updated 2018-08-06 18:33:33 -0500

For get_user, update_user and delete_user, the target is indeed a user and target.project.id exists. For list_users and create_user, the target is not a user. I don't know if these APIs have a target at all.

Also, the APIs for listing and creating users don't have project or role parameters. This means that there is no API that creates or lists users for a certain project.

To list users for your project, you have to list all users, then in a second pass filter them by project. To create a user in your project, you first create a user, then link it to a project by assigning it a role.

I don't think what you want is possible in the current policy framework. The only way to delegate user management is via the domain admin concept.

edit flag offensive delete link more

Comments

Hi Bernd,

If I use multi domain, what should I do for modifying existing single domain OpenStack to be multidomain OpenStack? Can we do quota allocation like on project quota on delegated domain?

Best regards,

Mrxlazuardin gravatar imageMrxlazuardin ( 2018-08-08 09:50:02 -0500 )edit

The only purpose of domains is management of users and projects. Only Keystone knows about domains, the other services don't. Thus, you can assign quota to projects but not to domains, and you need to be a cloud admin, not a domain admin, to assign quota.

Bernd Bausch gravatar imageBernd Bausch ( 2018-08-08 10:06:15 -0500 )edit

To use domains, you need Keystone API v3. To enable domain admins, you need a different policy.json, e.g. https://github.com/openstack/keystone.... That's all.

Bernd Bausch gravatar imageBernd Bausch ( 2018-08-08 10:08:21 -0500 )edit

Hi Bernd,

I have used policy.v3cloudsample.json for /etc/openstack-dashboard/keystone_policy.json and /etc/keystone/policy.json. But I still cannot see domains panel on Horizon. What have I missed?

Best regards,

Mrxlazuardin gravatar imageMrxlazuardin ( 2018-08-09 12:20:42 -0500 )edit

See my answer to your other question.

Bernd Bausch gravatar imageBernd Bausch ( 2018-08-09 21:29:26 -0500 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-08-06 14:34:44 -0500

Seen: 141 times

Last updated: Aug 06 '18

Related questions

Project admin role - User

Restricting volume attachment using policies

custom roles for swift and cinder

How to setup nova's policy.json ensure only owner can list his instance?

Rocky keystone: admin role on project is too permissive

Troubles with RBAC configuration(kilo).Error: Failed to modify 15 project members, update project groups and update project quotas. Error: Unable to modify project

neutron policy didn't work

Changing Nova policy.json in devstack Rocky

Openstack RBAC policy change

Rule in policy.json to restrict access to user owned resources