Ask Your Question

locked out situation with default domain?

asked 2015-07-07 08:36:07 -0600

pentatonic gravatar image

Let's say I have the cloud admin policy in place for Keystone where my cloud admin is the user with admin role in the default domain scope.

If I disable the default domain, the cloud admin cannot login back in. While other domains are still operational, the default domain is forever lost? (in terms of cloud admin being able to login with a token scoped to the default domain).

Is there a way out of that situation?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2015-07-07 12:09:10 -0600

updated 2015-07-07 21:01:26 -0600

Who can disable cloud_admin domain? Only cloud_admin can do it. That means you know what you are doing and its implicaitons. Isn't this same as diabling root password/ssh and trying to login via root/ssh.

To answer your question, you can do this in many ways

1) You can change the enabled attribute for domain in database directly

2) Keystone has AdminTokenMiddleware, if you have this middleware enabled, you can change it to enabled via REST API. The value of admin_token is configured in keystone.conf

3) Change the policy file to make other domain "cloud_admin" domain and restart keystone. Using that credential now you can enable "default" domain

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-07-07 08:36:07 -0600

Seen: 895 times

Last updated: Jul 07 '15