Default Domain ID must be "default"

asked 2016-10-28 03:27:16 -0500

theque42
79 ●21 ●28 ●29

I've run into conflicting information about the creation of the Default domain, whether it should be manually created with the openstack domain create command, or wether it is created by keystone-manage bootstrap to ensure that the ID becomes default, instead of a normal UUID.

But even the latest newtons docs indicate that you should use the openstack command, even though I have run into problems where the CLI complains on not finding the domain "default".

My default domain's name is Default(with a UUID), so the name/id 'default' seems to be hard-coded in there somewhere, anyway...?

It would be kind of helpful if the manuals or bootstrap commands created TWO admins. One domain-wide, and one domain-native administrator, since it's not exactly clear how to create a domain wide admin, and/or if it can be the same user?

answered 2016-10-31 14:34:08 -0500

volenbovsky
411 ●1 ●8

Hi, -you should not be creating default domain and your service users should belonging to this one -Well, 'default' you can perceive hardcoded because likely in your Keystone policy file and then you will see something else "cloud_admin": "rule:admin_required and domain_id:default" Use http://richmegginson.livejournal.com/25846.html (http://richmegginson.livejournal.com/...) ".... If you want to use your new users domain, use the domain id value from when you created that domain, which is usually a long base-16 string of hexadecimal digits, something like this: { "admin_required": "role:admin", "cloud_admin": "rule:admin_required and domain_id:ad8d0d5fd7e84273a9c1024083743480", "service_role": "role:service",

You will need to restart Keystone for the policy changes to take effect."

See also https://www.rdoproject.org/documentation/domains/ (https://www.rdoproject.org/documentat...)

edit flag offensive delete link

Comments

I dont think you understood my question. When you install your cloud, your default domain can be created either by the command keystone-manage bootstrap, which will create the Default domain, with the id set to the string "default" not a UUID. OR you can use plain "openstack domain create".

theque42 ( 2016-11-05 03:41:36 -0500 )edit

The latter creates the domain with a normal UUID. In the past, I am fairly certain that the id for the Default domain was set to "default", and I am suspecting that there are code somewhere which still believes this. But current documentation for installing does NOT indicate the bootstrap command.

theque42 ( 2016-11-05 03:43:18 -0500 )edit

By the way, I am quite certain that you do NOT need restart the keystone service for policies to take effect.

theque42 ( 2016-11-05 03:45:55 -0500 )edit

Thanks for the links btw, but unfortunately they dont help much in 2016, when one of them is a year old. Openstack is moving way to fast to believe that those instructions are up2date. The RDO-link is worse. Their "Create a project as a domain admin", ends with: You are not authorized to perform...

theque42 ( 2016-11-05 06:45:09 -0500 )edit

It is not clear what your question is. anyway maybe some comments will be helpful: -current documentation does not indicate keystone-manage bootstrap command because that is command is for upgrade cases wwww.blueprints.launchpad.net/keystone/+spec/default-domain Otherwise it just there after install

volenbovsky ( 2016-11-07 15:23:23 -0500 )edit

see more comments

1 answer

Comments

Your Answer

Get to know Ask OpenStack

Question Tools

Stats

Related questions

Feedback About This Page

OpenStack

Community

Documentation

Branding & Legal

Default Domain ID must be "default" edit

1 answer

Comments

Your Answer

Get to know Ask OpenStack

Question Tools

Stats

Related questions

Feedback About This Page

OpenStack

Community

Documentation

Branding & Legal

Default Domain ID must be "default"