4:54 p.m.
On 11/01/2016 05:17 PM, Taisto Qvist wrote:
Hi folks,
I've run into a wall with making openstack domain auth working, and I
dont know where to get help, so I am trying here. I've created a
question on:
https://ask.openstack.org/en/question/98429/project-specific-admin-unable...
..but no-one seems to be able to help.
Since I wrote that, I've gotten as far as creating a working
cloud-wide admin(the policy trigger for cloud_admin matching against
domain_id, didnt seem to work for the default domain...?), and that
user is now working fine as super-mega-admin.
Can you post what your cloud_admin
rule looks like?
But my old admin user, that has admin rights only in the default
domain, admin project, cant list users, or projects, in the default
domain.
admin_and_matching_domain_id: But his domain must not be matching: If
he has a domain scoped token for another domain, it will not be valid
for the default.
And sureley he should be able to, with the rules:
"admin_and_matching_domain_id": "rule:admin_required and
domain_id:%(domain_id)s",
"identity:list_users": "rule:cloud_admin or
rule:admin_and_matching_domain_id",
I've tried to find comprehensive and up2date references on how to read
the policy.json syntax, but no success so I am unsure on how to
interpret the rule exactly though.
I tried changing to:
"admin_and_matching_domain_id": "rule:admin_required and
domain_id:%(/target/.domain_id)s",
Have you been using the CLI to test your changes? It might greatly
simplify things. I'd also recommend using pdb and actually stepping
through the code executed: you can learn a lot this way.
after looking at the rule for:
"identity:get_project": "rule:cloud_admin or
rule:admin_and_matching_target_project_domain_id or
project_id:%(target.project.id <http://target.project.id>)s";,
Again, in this rule, you have explicit matching. The token either needs
to match the domain ID or the project ID.
But it didnt help. During the failure, I can see keystone logging:
2016-11-01 22:16:24.521 4824 INFO keystone.common.wsgi
[req-46e3301f-f234-434b-a013-5aa2297b6119 admin_User
admin_Prj - default default] GET
http://172.16.12.100:35357/v3/projects/admin_Prj
(where admin_Prj/User is the UUID's regexped)
What is wrong? Where can I learn how to do this???
_______________________________________________
rdo-list mailing list
rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
To unsubscribe: rdo-list-unsubscribe(a)redhat.com