Thanks for the information, I'll definitely get to it. But right now
I'm having some trouble with domain_id in the keystone_policy.json. I
believe I'm also affected by this bug
https://bugs.launchpad.net/python-openstackclient/+bug/1538804
I switched to the stable/liberty policy.v3cloudsample.json because the
value for "token.is_admin_project:True or domain_id:admin_domain_id"
lead to errors in authentication. Using "rule:admin_required and
domain_id:default" works if I use Horizon (I see the output in
keystone.log), but it fails to authenticate while using CLI because
for some reason "domain_id" is never read by the client.
As a workaround I changed the rule to
"cloud_admin": "rule:admin_required and (domain_id:default or
user_domain_id:default)"
that seems to work fine, and I already tried it with user_id instead
of domain_id, but I can't predict the consequences. What is the
recommendation here until the CLI client will be able to read domain_id?
Regards,
Eugen
Zitat von Timothy Symanczyk <timothy_symanc...@symantec.com>:
We implemented something here at Symantec that sounds very similar to what
you¹re both talking about. We have three levels of Admin - Cloud, Domain,
and Project. If you¹re interested in checking it out, we actually
presented on this topic in Austin.
The presentation : https://www.youtube.com/watch?v=v79kNddKbLc
All the referenced files can be found in our github here :
https://github.com/Symantec/Openstack_RBAC
Specifically you may want to check out our keystone policy file that
defines cloud_admin domain_admin and project_admin :
https://github.com/Symantec/Openstack_RBAC/blob/master/keystone/policy.json
Tim
On 6/20/16, 5:17 AM, "Eugen Block" <ebl...@nde.ag> wrote:
I believe you are trying to accomplish the same configuration as I do,
so I think domains are the answer. You can devide your cloud into
different domains and grant admin rights to specific users, which are
not authorized to see the other domains. Although I'm still not sure
if I did it correctly and it's not fully resolved yet, here is a
thread I started a few days ago:
http://lists.openstack.org/pipermail/openstack/2016-June/016454.html
Regards,
Eugen
Zitat von Venkatesh Kotipalli <openstackvenkat...@gmail.com>:
Hi Folks,
Is it possible to create a project admin in openstack.
As we identified when ever we created a project admin it will show
entire
cloud (Like : other users and all services completely admin access).
but i
want to see the particular project users,admins and control all the
services.
Guys please help me this part. I am really very confused.
Regards,
Venkatesh.k
--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : ebl...@nde.ag
Vorsitzende des Aufsichtsrates: Angelika Mozdzen
Sitz und Registergericht: Hamburg, HRB 90934
Vorstand: Jens-U. Mozdzen
USt-IdNr. DE 814 013 983
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : ebl...@nde.ag
Vorsitzende des Aufsichtsrates: Angelika Mozdzen
Sitz und Registergericht: Hamburg, HRB 90934
Vorstand: Jens-U. Mozdzen
USt-IdNr. DE 814 013 983
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack