Ask Your Question
0

Domain usage to restrict admin features

asked 2013-12-11 00:37:57 -0600

skashaba gravatar image

Hi,

I'm trying to use domain staff, with a simple scenario and didn't get how to setup the system and get it workable. I need to have cloud admin, several domains, and users who are admin in some domain only (one user as an admin for one domain only). The requirement for the cloud admin and domain admin: 1. Cloud admin should be able to create domains 2. Cloud admin should be able to assign user as a domain admin. 3. Domain admin should be able: a. Create projects inside the domain b. Assign users role to project inside the domain c. List projects as part of operation 3.b (it would be nice to restrict output to projects in domain only) d. List users and roles to perform 3.b. e. Remove user role from project. 4. Domain admin shouldn't be able to do anything in the not owned domains.

Is it reasonable usecase? And is it possible to implement using Havana?

Some issues I already met. 1. User that is not in the default domain is not able to authenticate from cli ( https://bugs.launchpad.net/python-ope... ) 2. If I change endpoints for keystone to V3, some components from OpenStack are not workable (like keystone client). 3. It's not possible to have 2 sets in endpoints for keystone - V2 and V3 (like for compute), so that glance can use v2 and use V3 from CLI only. 4. I fixed issue 1 and 2 manually (code change). But still if user is assigned with an admin role to domain only, not to project, it's impossible to invoke any command using CLI - it requires to specify project. 5. If I fix 4 manually, it say that management URL is not available for such authorization. 6. If I add user as an admin to any project inside the domain - this user is able to list all projects for all domains, and actually is able to do anything with the cloud. I tried to play with policy.json, but still no success.

The commands that I ran in order to prepare domains and users: export OS_AUTH_URL=http://10.0.2.15:5000/v3 #create domains and users openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack domain list openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack domain create dom1 openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack user create --password qwerty --domain dom1 dom1user #assign user to domain openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack role add --user dom1user --domain dom1 admin

edit retag flag offensive close merge delete

4 answers

Sort by ยป oldest newest most voted
0

answered 2014-02-15 06:34:25 -0600

skashaba gravatar image

Link where I described details 'how the problem was solved' http://www.mirantis.com/blog/manage-o...

edit flag offensive delete link more
0

answered 2013-12-13 19:55:27 -0600

skashaba gravatar image

I finally get my things workable using curl, There is one thing that was bit unclear from the documentation - query filters provided with the url are part of the target. And also policy.json sample for V3 api has some issues. After fixing everything works fine for my purpose. Guys - you'd better fix openstack client for domains instead of changing tenant_id back to project_id (was it in essex first time?) :).

edit flag offensive delete link more
0

answered 2013-12-13 19:55:17 -0600

skashaba gravatar image

I finally get my things workable using curl, There is one thing that was bit unclear from the documentation - query filters provided with the url are part of the target. And also policy.json sample for V3 api has some issues. After fixing everything works fine for my purpose. Guys - you'd better fix openstack client for domains instead of changing tenant_id back to project_id (was it in essex first time?) :).

edit flag offensive delete link more
0

answered 2013-12-11 19:29:23 -0600

skashaba gravatar image

BTW, I noticed that I forgot to modify policy.json. It resolved issue 6, but considering I can't get openstack client workable and use curl for now, domain_id is not passed to a policy rule checker, so when I invoke curl -si -X POST -H "Content-Type: application/json" -d '{"auth": {"scope": {"project": {"domain": {"name": "dom1"}, "name": "dom1project"}}, "identity": {"password": {"user": {"domain": {"name": "dom1"}, "password": "qwerty", "name": "dom1user"}}, "methods": ["password"]}}}' http://127.0.0.1:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}' and then curl -X GET -H "X-Auth-Token:1855a8f034d54c74ac49a63640b40506" http://10.0.2.15:5000/v3/users/b4f24c...

Domain is not part of credentials. Print message from the rules: Credentials: {'project_id': u'd9ec684e2f37472cb84638b76b907e90', 'user_id': u'b4f24ca4a35642a6a375ab1a02dda0c5', 'roles': [u'admin']} Rule identity:get_user () Target: {'target.user.enabled': True, 'target.user.domain_id': u'8efa82050cf64c6580cb7d4bee7e3f4f', 'user_id': u'b4f24ca4a35642a6a375ab1a02dda0c5', 'target.user.name': u'dom1user', 'target.user.id': u'b4f24ca4a35642a6a375ab1a02dda0c5'} Rule is "identity:get_user": [["rule:admin_required", "domain_id:%(target.user.domain_id)s"]],

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-12-11 00:37:57 -0600

Seen: 660 times

Last updated: Feb 15 '14