skashaba's profile - activity

2015-11-03 08:23:19 -0600 received badge  Famous Question (source)
2015-05-20 03:06:04 -0600 received badge  Nice Question (source)
2014-10-30 16:34:02 -0600 received badge  Notable Question (source)
2014-10-30 16:34:02 -0600 received badge  Popular Question (source)
2014-09-01 04:59:56 -0600 received badge  Enthusiast
2014-08-27 05:36:53 -0600 received badge  Famous Question (source)
2014-08-27 05:36:33 -0600 received badge  Supporter (source)
2014-06-13 23:18:12 -0600 received badge  Notable Question (source)
2014-05-07 03:40:37 -0600 received badge  Popular Question (source)
2014-02-15 06:34:25 -0600 answered a question Domain usage to restrict admin features

Link where I described details 'how the problem was solved' http://www.mirantis.com/blog/manage-o...

2014-01-28 22:11:20 -0600 asked a question Does Horizon support domain admin?

Hello Horizon community group,

I'm trying to use horizon with a deployment with domains support (using v3 keystone api and policy.v3cloudsample.json as a reference for policy.json for keystone). I figured out that I can't find a way to login to Horizon with a user who is assigned as an admin for domain, not for project. Is it possible with a Horizon at all? Does Horizon support admin functionality for deployment with a domains and with the appropriate keystone policy.json? Did I miss something important in the documentation?

Being a project admin doesn't help since obviously only cloud admin should be able to perform some operation like list domains. And according the keystone, cloud admin is a user who is assigned as an admin for specific domain. See below the rules for the cloud admin definition in keystone (important is that domain_id is passed to rule checker only if token is got with a domain scope, not a project one, or if query is specified in the URL, which is different case). "admin_required": "role:admin", "cloud_admin": "rule:admin_required and domain_id:admin_domain_id", "identity:get_domain": "rule:cloud_admin", "identity:list_domains": "rule:cloud_admin", "identity:create_domain": "rule:cloud_admin", "identity:update_domain": "rule:cloud_admin", "identity:delete_domain": "rule:cloud_admin",

As a result Horizon constantly gets 403 ("You are not authorized to perform the requested action, identity:list_domains.") answer when try to list domains, list projects and other.

Generally it seems that some features, essential for domain level administration, are missed. Like: 1. Be able to work with a token with a domain scope, not a project scope 2. As a domain admin I should be able to manage only projects, users and other resources owned by the domain only (so queries in some URLs are required, like curl -X GET -H "X-Auth-Token:$MYTOKEN" http://127.0.0.1:5000/v3/projects?dom... )

Thanks in advance.

2013-12-13 19:55:27 -0600 answered a question Domain usage to restrict admin features

I finally get my things workable using curl, There is one thing that was bit unclear from the documentation - query filters provided with the url are part of the target. And also policy.json sample for V3 api has some issues. After fixing everything works fine for my purpose. Guys - you'd better fix openstack client for domains instead of changing tenant_id back to project_id (was it in essex first time?) :).

2013-12-13 19:55:17 -0600 answered a question Domain usage to restrict admin features

I finally get my things workable using curl, There is one thing that was bit unclear from the documentation - query filters provided with the url are part of the target. And also policy.json sample for V3 api has some issues. After fixing everything works fine for my purpose. Guys - you'd better fix openstack client for domains instead of changing tenant_id back to project_id (was it in essex first time?) :).

2013-12-11 19:29:23 -0600 answered a question Domain usage to restrict admin features

BTW, I noticed that I forgot to modify policy.json. It resolved issue 6, but considering I can't get openstack client workable and use curl for now, domain_id is not passed to a policy rule checker, so when I invoke curl -si -X POST -H "Content-Type: application/json" -d '{"auth": {"scope": {"project": {"domain": {"name": "dom1"}, "name": "dom1project"}}, "identity": {"password": {"user": {"domain": {"name": "dom1"}, "password": "qwerty", "name": "dom1user"}}, "methods": ["password"]}}}' http://127.0.0.1:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}' and then curl -X GET -H "X-Auth-Token:1855a8f034d54c74ac49a63640b40506" http://10.0.2.15:5000/v3/users/b4f24c...

Domain is not part of credentials. Print message from the rules: Credentials: {'project_id': u'd9ec684e2f37472cb84638b76b907e90', 'user_id': u'b4f24ca4a35642a6a375ab1a02dda0c5', 'roles': [u'admin']} Rule identity:get_user () Target: {'target.user.enabled': True, 'target.user.domain_id': u'8efa82050cf64c6580cb7d4bee7e3f4f', 'user_id': u'b4f24ca4a35642a6a375ab1a02dda0c5', 'target.user.name': u'dom1user', 'target.user.id': u'b4f24ca4a35642a6a375ab1a02dda0c5'} Rule is "identity:get_user": [["rule:admin_required", "domain_id:%(target.user.domain_id)s"]],

2013-12-11 00:37:57 -0600 asked a question Domain usage to restrict admin features

Hi,

I'm trying to use domain staff, with a simple scenario and didn't get how to setup the system and get it workable. I need to have cloud admin, several domains, and users who are admin in some domain only (one user as an admin for one domain only). The requirement for the cloud admin and domain admin: 1. Cloud admin should be able to create domains 2. Cloud admin should be able to assign user as a domain admin. 3. Domain admin should be able: a. Create projects inside the domain b. Assign users role to project inside the domain c. List projects as part of operation 3.b (it would be nice to restrict output to projects in domain only) d. List users and roles to perform 3.b. e. Remove user role from project. 4. Domain admin shouldn't be able to do anything in the not owned domains.

Is it reasonable usecase? And is it possible to implement using Havana?

Some issues I already met. 1. User that is not in the default domain is not able to authenticate from cli ( https://bugs.launchpad.net/python-ope... ) 2. If I change endpoints for keystone to V3, some components from OpenStack are not workable (like keystone client). 3. It's not possible to have 2 sets in endpoints for keystone - V2 and V3 (like for compute), so that glance can use v2 and use V3 from CLI only. 4. I fixed issue 1 and 2 manually (code change). But still if user is assigned with an admin role to domain only, not to project, it's impossible to invoke any command using CLI - it requires to specify project. 5. If I fix 4 manually, it say that management URL is not available for such authorization. 6. If I add user as an admin to any project inside the domain - this user is able to list all projects for all domains, and actually is able to do anything with the cloud. I tried to play with policy.json, but still no success.

The commands that I ran in order to prepare domains and users: export OS_AUTH_URL=http://10.0.2.15:5000/v3 #create domains and users openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack domain list openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack domain create dom1 openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack user create --password qwerty --domain dom1 dom1user #assign user to domain openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack role add --user dom1user --domain dom1 admin

2013-11-13 01:35:51 -0600 received badge  Taxonomist
2013-08-15 02:14:14 -0600 received badge  Famous Question (source)
2013-07-25 10:25:05 -0600 received badge  Notable Question (source)
2013-07-03 07:29:12 -0600 received badge  Popular Question (source)
2013-07-03 04:51:46 -0600 received badge  Student (source)
2013-07-02 11:16:37 -0600 asked a question Is it possible to use keystone both v2 and v3 api for grizzly?

Hi All, Recently I tried to use V3 version of keystone API. To do this I modified endpoints to V3, and auth url for all components also set to keystone V3. But soon I realized that most probably V3 keystone is not supported at least by nova-client (see https://bugs.launchpad.net/python-novaclient/+bug/1180908). Then I tried to set novaclient auth url to V2 API and understood that it is useless since in reality endpoints returned by keystone are used instead. Then I tried to find out if it is possible to have two subsets for keystone endpoints - one to be returned when returned by V3 api and another when returned by V2 API and got stuck.

So my question is how can I use both version of the keystone API simultaneously (considering I can't use V3 for all components because of other clients do not support keystone V3 API)?

2011-12-22 14:06:31 -0600 answered a question keystone + glance index failed

I met the same problem. After short debugging I saw that greenio expect timeout as a float but string is provided. So I fixed it by adding manual conversion from str to float (File "/usr/local/lib/python2.7/dist-packages/keystone-2012.1-py2.7.egg/keystone/common/bufferedhttp.py", line 166, in http_connect_raw). The bug happen when timeout is provided in a glance-api.conf