<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/01/2016 05:17 PM, Taisto Qvist
wrote:<br>
</div>
<blockquote
cite="mid:CANMgGe9AL_1uP0sGbeoD_0qFfQAEejDRTD_jwKu7rAqh1Bxh+A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div>Hi folks, <br>
<br>
</div>
I've run into a wall with making openstack
domain auth working, and I dont know where to
get help, so I am trying here. I've created a
question on:<br>
<br>
<a moz-do-not-send="true"
href="https://ask.openstack.org/en/question/98429/project-specific-admin-unable-to-list-users-or-use-horizon/">https://ask.openstack.org/en/question/98429/project-specific-admin-unable-to-list-users-or-use-horizon/</a><br>
<br>
</div>
..but no-one seems to be able to help.<br>
<br>
</div>
Since I wrote that, I've gotten as far as creating
a working cloud-wide admin(the policy trigger for
cloud_admin matching against domain_id, didnt seem
to work for the default domain...?), and that user
is now working fine as super-mega-admin.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
Can you post what your cloud_admin rule looks like?<br>
<br>
<br>
<blockquote
cite="mid:CANMgGe9AL_1uP0sGbeoD_0qFfQAEejDRTD_jwKu7rAqh1Bxh+A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div>
<div><br>
</div>
But my old admin user, that has admin rights only in
the default domain, admin project, cant list users,
or projects, in the default domain.<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
admin_and_matching_domain_id: But his domain must not be matching:
If he has a domain scoped token for another domain, it will not be
valid for the default.<br>
<br>
<blockquote
cite="mid:CANMgGe9AL_1uP0sGbeoD_0qFfQAEejDRTD_jwKu7rAqh1Bxh+A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div>
<div><br>
</div>
And sureley he should be able to, with the rules:<br>
<br>
"admin_and_matching_domain_id":
"rule:admin_required and domain_id:%(domain_id)s",<br>
"identity:list_users": "rule:cloud_admin or
rule:admin_and_matching_domain_id", <br>
<br>
</div>
I've tried to find comprehensive and up2date references
on how to read the policy.json syntax, but no success so
I am unsure on how to interpret the rule exactly though.<br>
</div>
I tried changing to:<br>
<br>
"admin_and_matching_domain_id": "rule:admin_required
and domain_id:%(<i>target</i>.domain_id)s",<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Have you been using the CLI to test your changes? It might greatly
simplify things. I'd also recommend using pdb and actually stepping
through the code executed: you can learn a lot this way.<br>
<br>
<blockquote
cite="mid:CANMgGe9AL_1uP0sGbeoD_0qFfQAEejDRTD_jwKu7rAqh1Bxh+A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div><br>
</div>
after looking at the rule for:<br>
<br>
"identity:get_project": "rule:cloud_admin or
rule:admin_and_matching_target_project_domain_id or
project_id:%(<a moz-do-not-send="true"
href="http://target.project.id">target.project.id</a>)s",<br>
</div>
</div>
</div>
</blockquote>
<br>
Again, in this rule, you have explicit matching. The token either
needs to match the domain ID or the project ID.<br>
<br>
<blockquote
cite="mid:CANMgGe9AL_1uP0sGbeoD_0qFfQAEejDRTD_jwKu7rAqh1Bxh+A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
But it didnt help. During the failure, I can see keystone
logging:<br>
<br>
2016-11-01 22:16:24.521 4824 INFO keystone.common.wsgi
[req-46e3301f-f234-434b-a013-5aa2297b6119
admin_User
admin_Prj - default default] GET <a
moz-do-not-send="true"
href="http://172.16.12.100:35357/v3/projects/admin_Prj">http://172.16.12.100:35357/v3/projects/admin_Prj</a><br>
<br>
</div>
<div>(where admin_Prj/User is the UUID's regexped)<br>
</div>
<div><br>
</div>
What is wrong? Where can I learn how to do this??? <br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
rdo-list mailing list
<a class="moz-txt-link-abbreviated" href="mailto:rdo-list@redhat.com">rdo-list@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/rdo-list">https://www.redhat.com/mailman/listinfo/rdo-list</a>
To unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a></pre>
</blockquote>
<p><br>
</p>
</body>
</html>