Ask Your Question
0

Project Admin

asked 2018-08-06 14:34:44 -0600

Mrxlazuardin gravatar image

Hi,

I have put following update on /etc/openstack-dashboard/keystone_policy.json and /etc/keystone/policy.json.

{
    "project_admin": "role:project-admin and project_id:%(target.project.id)s",
    "identity:get_user": "rule:admin_or_owner or rule:project_admin",
    "identity:list_users": "rule:admin_required or rule:project_admin",
    "identity:create_user": "rule:admin_required or rule:project_admin",
    "identity:update_user": "rule:admin_required or rule:project_admin",
    "identity:delete_user": "rule:admin_required or rule:project_admin"
}

But the user with project-admin role still cannot see his own project users and cannot create other users for that project. What have I missed?

Best regards,

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
0

answered 2018-08-06 18:31:14 -0600

Bernd Bausch gravatar image

updated 2018-08-06 18:33:33 -0600

For get_user, update_user and delete_user, the target is indeed a user and target.project.id exists. For list_users and create_user, the target is not a user. I don't know if these APIs have a target at all.

Also, the APIs for listing and creating users don't have project or role parameters. This means that there is no API that creates or lists users for a certain project.

To list users for your project, you have to list all users, then in a second pass filter them by project. To create a user in your project, you first create a user, then link it to a project by assigning it a role.

I don't think what you want is possible in the current policy framework. The only way to delegate user management is via the domain admin concept.

edit flag offensive delete link more

Comments

Hi Bernd,

If I use multi domain, what should I do for modifying existing single domain OpenStack to be multidomain OpenStack? Can we do quota allocation like on project quota on delegated domain?

Best regards,

Mrxlazuardin gravatar imageMrxlazuardin ( 2018-08-08 09:50:02 -0600 )edit

The only purpose of domains is management of users and projects. Only Keystone knows about domains, the other services don't. Thus, you can assign quota to projects but not to domains, and you need to be a cloud admin, not a domain admin, to assign quota.

Bernd Bausch gravatar imageBernd Bausch ( 2018-08-08 10:06:15 -0600 )edit

To use domains, you need Keystone API v3. To enable domain admins, you need a different policy.json, e.g. https://github.com/openstack/keystone.... That's all.

Bernd Bausch gravatar imageBernd Bausch ( 2018-08-08 10:08:21 -0600 )edit

Hi Bernd,

I have used policy.v3cloudsample.json for /etc/openstack-dashboard/keystone_policy.json and /etc/keystone/policy.json. But I still cannot see domains panel on Horizon. What have I missed?

Best regards,

Mrxlazuardin gravatar imageMrxlazuardin ( 2018-08-09 12:20:42 -0600 )edit

See my answer to your other question.

Bernd Bausch gravatar imageBernd Bausch ( 2018-08-09 21:29:26 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-08-06 14:34:44 -0600

Seen: 40 times

Last updated: Aug 06

Related questions

Project admin role - User

How can add a new Role and then in Policy.json and create a Rule ? [closed]

How to create my own rule in Policy.json

How to change keystone policy?

can we use new Role in policy.json in grizzly version?

Troubles with RBAC configuration(kilo).Error: Failed to modify 15 project members, update project groups and update project quotas. Error: Unable to modify project

Can't find /etc/nova/policy.json

Do I have to restart the service, after I modified the policy file?

How to setup nova's policy.json ensure only owner can list his instance?

How can I restrict visibility of instances in a project