Can you post what your cloud_admin rule looks like?Since I wrote that, I've gotten as far as creating a working cloud-wide admin(the policy trigger for cloud_admin matching against domain_id, didnt seem to work for the default domain...?), and that user is now working fine as super-mega-admin...but no-one seems to be able to help.Hi folks,I've run into a wall with making openstack domain auth working, and I dont know where to get help, so I am trying here. I've created a question on:
https://ask.openstack.org/en/question/98429/project-specific-admin-unable-to-list-users-or-use-horizon/
But my old admin user, that has admin rights only in the default domain, admin project, cant list users, or projects, in the default domain.
I tried changing to:I've tried to find comprehensive and up2date references on how to read the policy.json syntax, but no success so I am unsure on how to interpret the rule exactly though.And sureley he should be able to, with the rules:
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(target.domain_id)s",
after looking at the rule for:
"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",
But it didnt help. During the failure, I can see keystone logging:
2016-11-01 22:16:24.521 4824 INFO keystone.common.wsgi [req-46e3301f-f234-434b-a013-5aa2297b6119 admin_User admin_Prj - default default] GET http://172.16.12.100:35357/v3/projects/admin_Prj
(where admin_Prj/User is the UUID's regexped)
What is wrong? Where can I learn how to do this???
_______________________________________________ rdo-list mailing list rdo-list@redhat.com https://www.redhat.com/mailman/listinfo/rdo-list To unsubscribe: rdo-list-unsubscribe@redhat.com