Ask Your Question
1

Is there a way to allow non-admin to create some sub-projects ?

asked 2015-04-21 09:55:58 -0600

TristanLT gravatar image

Hi, I use KeystoneV3 and Juno on Ubuntu 14.04. I wish allows all users to lists and creates projects into a defined root project. Root project is named "testzone".

I've try this couple of rules :

"inprojectzone": "'84a51db0fc4747b48e72fe45f35892e2':%(target.project.parents)s",
...
"identity:create_project": "rule:admin_required or rule:inprojectzone",

I've tried target.project.parents or target.project.parent_id without results...

Here is the code used to try to create projects

parent=admclient.projects.list(name='freezone')[0]
# ok
admclient.projects.create(domain="default", name="oui", description='My test projects', parent=parent)

Keystone answers 

keystoneclient.openstack.common.apiclient.exceptions.Forbidden: You are not authorized to perform the requested action: identity:create_project

Is there a way to allows sub-projects creation to role or all into a defined project ?

Thank you, Tristanlt

edit retag flag offensive close merge delete
add a comment

1 answer

Sort by ยป oldest newest most voted
1

answered 2015-04-21 18:45:13 -0600

raul.flores gravatar image

With Keystone v3 you could use the Domains concept to isolate users from projects. You could have an admin user in Domain1 and they can create projects, users, etc. but they would not be able to do that in Domain2.

This Post provides more information and examples.

Also, the Identity API docs provide more information.

edit flag offensive delete link more

Comments

Thank you, this sound good for me. I've created domain "Projets" and I've added this rules : 

   "in_projects_domain": "'b233cc6978fa45cfb9b4beb0698f93b0':%(target.project.domain_id)s",
    "identity:create_project": "rule:admin_required or rule:in_projects_domain",

Without results. I'm wrong?

TristanLT gravatar imageTristanLT ( 2015-04-26 07:59:20 -0600 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2015-04-21 09:55:58 -0600

Seen: 448 times

Last updated: Apr 21 '15

Related questions

How to authorize keystone users to access their swift objects

Cannot find a valid baseurl for repo: openstack-stein/7Server/x86_64 [closed]

Keystone: unable to use the public endpoint

How to implement enforcement policy in open stack congress?

openstack group contains user command returns empty on LDAP groups

my nova doesn't work now, shows url's project_id doesn't match context's project_id. The url's project_id I thought is the role of admin added to the nova at tenant service, but my question is, how can I check the "context's project_id"?

A massive 35GB keystone/token.ibd, what happened?

Wrong ScalingPolicy alarm_url

How to change Keystone

ERROR: openstackclient.shell Exception raised: (pbr 0.11.0 (/usr/local/lib/python2.7/dist-packages), Requirement.parse('pbr>=1.6')