How to define project-admin role?

asked 2014-08-08 12:35:25 -0600

Dseven gravatar image

I want to be able to define policies such that a user who is designated an admin for a given project can perform some "advanced" functions that a regular user within that project should not be allowed to perform.

The "out of box" rules like:

"admin_or_owner":  "role:admin or project_id:%(project_id)s",

match if the user has the "admin" role for any project.

I'm failing to find a way to define a rule that matches only if the user has a role assigned for the specific project owning the resource targeted by the API call. I'm envisioning something like:

"context_is_project_admin":  "role:admin:%(tenant_id)s",


"context_is_project_admin":  "role:project_admin:%(tenant_id)s",

but I've not found any documented way to do this. Does one exist?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-08-17 20:40:16 -0600

You should read about OpenStack Domains:

They require Keystone v3.0.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-08-08 12:35:25 -0600

Seen: 809 times

Last updated: Aug 08 '14