Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Domain usage to restrict admin features


I'm trying to use domain staff, with a simple scenario and didn't get how to setup the system and get it workable. I need to have cloud admin, several domains, and users who are admin in some domain only (one user as an admin for one domain only). The requirement for the cloud admin and domain admin: 1. Cloud admin should be able to create domains 2. Cloud admin should be able to assign user as a domain admin. 3. Domain admin should be able: a. Create projects inside the domain b. Assign users role to project inside the domain c. List projects as part of operation 3.b (it would be nice to restrict output to projects in domain only) d. List users and roles to perform 3.b. e. Remove user role from project. 4. Domain admin shouldn't be able to do anything in the not owned domains.

Is it reasonable usecase? And is it possible to implement using Havana?

Some issues I already met. 1. User that is not in the default domain is not able to authenticate from cli ( 2. If I change endpoints for keystone to V3, some components from OpenStack are not workable (like keystone client). 3. It's not possible to have 2 sets in endpoints for keystone - V2 and V3 (like for compute), so that glance can use v2 and use V3 from CLI only. 4. I fixed issue 1 and 2 manually (code change). But still if user is assigned with an admin role to domain only, not to project, it's impossible to invoke any command using CLI - it requires to specify project. 5. If I fix 4 manually, it say that management URL is not available for such authorization. 6. If I add user as an admin to any project inside the domain - this user is able to list all projects for all domains, and actually is able to do anything with the cloud. I tried to play with policy.json, but still no success.

The commands that I ran in order to prepare domains and users: export OS_AUTH_URL=

create domains and users

openstack --os-identity-api-version 3 --os-url --os-token openstack domain list openstack --os-identity-api-version 3 --os-url --os-token openstack domain create dom1 openstack --os-identity-api-version 3 --os-url --os-token openstack user create --password qwerty --domain dom1 dom1user

assign user to domain

openstack --os-identity-api-version 3 --os-url --os-token openstack role add --user dom1user --domain dom1 admin