How to setup domains in Train
Hi,
I am trying to set up domains in keystone so that I can create Domain Admins and they can manage users/projects in their domains only. Looks like policy.json is depreciated, does anyone have instructions or example policy.yaml file that I can refer to setup domains? I tried it right out of the box but it looks like if I give admin role to domain admin, he can modify all system-wide roles etc. Any help to get the ball rolling for us will be appreciated. Thanks
policy.json is not obsolete, as far as I know. However, policy.v3cloudsample.json has been removed; its rules are supposed to be implemented in Keystone's default policy now. See release notes.
A user with admin role in the domain scope should do the trick. How do you create your domain admin?
I created a new domain and user under that domain, gave that user global admin role. Do I need to create domain-specific roles every time I create a new domain? If yes, how a domain admin will assign swiftoperator role (or any other role that's defined in the swift config file) to its domain user?
To make a user domain admin, give it the admin role in the domain scope. I guess you gave it the admin role in a project scope, which results in the user being global admin. To confirm that my suspicion is correct, I asked you how you created the domain admin. Your answer is too vague.
Try this:
Apologies for late reply, ask site was down last month than I was away after that. I tried as suggested but getting error:
# openstack domain create --description "test domain" testdomain
# openstack user create --domain testdomain --password-prompt testdomainadmin