Enable Keystone cloud-admin to set domain scoped permissions

asked 2018-09-26 03:48:52 -0500

ignotus gravatar image


I try to enable domain scoped permissions using the prepared policy.v3cloudsample.json rules. I do the following steps, but it seems like keystone doesn't use the rules.

  1. Create the domain admin-domain

    $ openstack domain create admin_domain

  2. Create the user cloud_admin in the scope of the admin_domain domain

    $ openstack user create --domain admin_domain cloud_admin

  3. Grant the user cloud_admin the admin role on domain admin_domain

    $ openstack role add --domain admin_domain --user cloud_admin admin

  4. Replace admin_domain_id in /etc/keystone/policy.v3cloudsample.json with the ID of the admin_domain domain

  5. Copy /etc/keystone/policy.v3cloudsample.json to /etc/keystone/policy.json
  6. Add the policy file to keystone.conf


    policy_file = /etc/keystone/policy.json

  7. Restart keystone

The admin user is still able to create domains, list users of different domains, etc. Whats going wrong? Is there a possibility to check what rules are applied?

edit retag flag offensive close merge delete