Ask Your Question

Keystone API v3: Limiting access to domain only

asked 2015-05-18 06:53:57 -0500

RadekS gravatar image

I have an application that is creating new projects in OpenStack and then resources in those projects, e.g. VMs, nets, etc.

This OpenStack is also used by other users who don't use this app and therefore the app should not be able to access their projects, resources.

Currently the app uses Keystone v2 API and just one admin OpenStack account -- which is the problem.

After reading about Keystone v3 API, I thought that I will just create an OpenStack domain for the app (let's call it app-domain) and the app will be requesting app-domain scoped tokens. I expected that then it will not be possible for the app to access resources outside the domain. But it seems that I am wrong.

What I have done via the API against RDO IceHouse 2014.1.3-3.el6:

  • get an unscoped token for the admin user
  • using the unscoped token:
    • create the app-domain
    • create a user assigned with the domain (no default project specified)
    • grant the admin role to that domain user
  • then I authenticated again, this time as the domain user and I specified scoping of the token to the app-domain

And then with this domain-scoped token I was able to e.g. create a new domain and remove a project that I created via UI, in the v2 "default" domain.

So I probably completely missed the domain concept and scoping. Can you please enlighten me on that and give me some hints whether I can achieve such an (domain) isolation for the app that uses just one OpenStack account?

Thanks a lot!

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2015-05-18 11:06:25 -0500

RadekS gravatar image

Solved, the following blog provides a very nice description. It is needed to create one more layer of the domains & users and also modify the policy file to enforce domain policy.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-05-18 06:53:57 -0500

Seen: 1,133 times

Last updated: May 18 '15