You have to make changes to the policy.json. I had to debug and create new roles etc on my env since the admin for the project x can only manage domain x and not been able to see anything else.
Remo Inviato da iPhone > Il giorno 29 mag 2017, alle ore 08:09, Volodymyr Litovka <doka...@gmx.com> ha > scritto: > > Hi friends, > > is there way to define domain's admin and restrict this person to access only > his domain? > > At the moment (Ocata release), if I : > - create domain by 'openstack domain create devtest > - create user in the domain by 'openstack user create udevtest --domain > devtest --password xxxxxx > - create project in the domain by 'openstack project create devmin --domain > devtest > - assign role 'admin' to the user on both the domain and the project: > * openstack role add admin --user udevtest --domain devtest > * openstack role add admin --project-domain devtest --project devmin --user > udevtest > > then, using user's 'udevtest' credentials: > > OS_REGION_NAME=RegionOne > OS_DEFAULT_DOMAIN=devtest > OS_USER_DOMAIN_NAME=devtest > OS_PROJECT_DOMAIN_NAME=devtest > OS_PROJECT_NAME=devmin > OS_USERNAME=udevtest > OS_PASSWORD=xxxxxxxxx > > OS_AUTH_STRATEGY=keystone > OS_IDENTITY_API_VERSION=3 > OS_AUTH_URL=http://controller:5000/v3 > OS_INTERFACE=internal > > I'm able to get a list of all users and projects in 'default' domain and even > more - add / delete users and projects in 'default' domain. > > In fact, user 'udevtest' has nothing to domain 'default', but assigned global > role 'admin' - probably, that is the problem, because policy.json's rule > 'admin_required' is just check for 'role:admin', which is true. On the other > hand, if I create role 'admin' specific to domain 'devtest' and assign it to > user on both domain and project in the domain, then I get error "User > f1c1cd3438c24255a2baa85f326dfc40 (which is udevtest) has no access to project > 1dbbaf2fb0bc4d5da270e48d4a92bc62 (which is devmin)", so seems local roles > doesn't matter. > > Is the only way (I hope it's legacy way :-) ) to change policy.json (as some > pages on Internet were suggesting) or I'm doing something wrong? > > Thank you! > > -- > Volodymyr Litovka > "Vision without Execution is Hallucination." -- Thomas Edison > !DSPAM:1,592c3c0850931589493451! > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > !DSPAM:1,592c3c0850931589493451!
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
