Ask Your Question
0

How to define project-admin role?

asked 2014-08-08 12:35:25 -0500

Dseven gravatar image

I want to be able to define policies such that a user who is designated an admin for a given project can perform some "advanced" functions that a regular user within that project should not be allowed to perform.

The "out of box" rules like:

"admin_or_owner":  "role:admin or project_id:%(project_id)s",

match if the user has the "admin" role for any project.

I'm failing to find a way to define a rule that matches only if the user has a role assigned for the specific project owning the resource targeted by the API call. I'm envisioning something like:

"context_is_project_admin":  "role:admin:%(tenant_id)s",

or:

"context_is_project_admin":  "role:project_admin:%(tenant_id)s",

but I've not found any documented way to do this. Does one exist?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-08-17 20:40:16 -0500

You should read about OpenStack Domains: https://wiki.openstack.org/wiki/Domains

They require Keystone v3.0.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-08-08 12:35:25 -0500

Seen: 672 times

Last updated: Aug 08 '14