OpenStack Identity (keystone)

Domain usage to restrict admin features

Asked by Sergii Kashaba

Hi,

I'm trying to use domain staff, with a simple scenario and didn't get how to setup the system and get it workable.
I need to have cloud admin, several domains, and users who are admin in some domain only (one user as an admin for one domain only).
The requirement for the cloud admin and domain admin:
1. Cloud admin should be able to create domains
2. Cloud admin should be able to assign user as a domain admin.
3. Domain admin should be able:
  a. Create projects inside the domain
  b. Assign users role to project inside the domain
  c. List projects as part of operation 3.b (it would be nice to restrict output to projects in domain only)
  d. List users and roles to perform 3.b.
  e. Remove user role from project.
4. Domain admin shouldn't be able to do anything in the not owned domains.

Is it reasonable usecase? And is it possible to implement using Havana?

Some issues I already met.
1. User that is not in the default domain is not able to authenticate from cli (https://bugs.launchpad.net/python-openstackclient/+bug/1198171)
2. If I change endpoints for keystone to V3, some components from OpenStack are not workable (like keystone client).
3. It's not possible to have 2 sets in endpoints for keystone - V2 and V3 (like for compute), so that glance can use v2 and use V3 from CLI only.
4. I fixed issue 1 and 2 manually (code change). But still if user is assigned with an admin role to domain only, not to project, it's impossible to invoke any command using CLI - it requires to specify project.
5. If I fix 4 manually, it say that management URL is not available for such authorization.
6. If I add user as an admin to any project inside the domain - this user is able to list all projects for all domains, and actually is able to do anything with the cloud. I tried to play with policy.json, but still no success.

The commands that I ran in order to prepare domains and users:
export OS_AUTH_URL=http://10.0.2.15:5000/v3
#create domains and users
openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack domain list
openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack domain create dom1
openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack user create --password qwerty --domain dom1 dom1user
#assign user to domain
openstack --os-identity-api-version 3 --os-url http://10.0.2.15:35357/v3 --os-token openstack role add --user dom1user --domain dom1 admin

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
Sergii Kashaba
Solved:
Last query:
Last reply:
Revision history for this message
Sergii Kashaba (skashaba) said : 		#1

BTW, I noticed that I forgot to modify policy.json. It resolved issue 6, but considering I can't get openstack client workable and use curl for now, domain_id is not passed to a policy rule checker, so when I invoke
curl -si -X POST -H "Content-Type: application/json" -d '{"auth": {"scope": {"project": {"domain": {"name": "dom1"}, "name": "dom1project"}}, "identity": {"password": {"user": {"domain": {"name": "dom1"}, "password": "qwerty", "name": "dom1user"}}, "methods": ["password"]}}}' http://127.0.0.1:5000/v3/auth/tokens | awk '/X-Subject-Token/ {print $2}'
and then
curl -X GET -H "X-Auth-Token:1855a8f034d54c74ac49a63640b40506" http://10.0.2.15:5000/v3/users/b4f24ca4a35642a6a375ab1a02dda0c5

Domain is not part of credentials. Print message from the rules:
Credentials:
{'project_id': u'd9ec684e2f37472cb84638b76b907e90', 'user_id': u'b4f24ca4a35642a6a375ab1a02dda0c5', 'roles': [u'admin']}
Rule
identity:get_user ()
Target:
 {'target.user.enabled': True, 'target.user.domain_id': u'8efa82050cf64c6580cb7d4bee7e3f4f', 'user_id': u'b4f24ca4a35642a6a375ab1a02dda0c5', 'target.user.name': u'dom1user', 'target.user.id': u'b4f24ca4a35642a6a375ab1a02dda0c5'}
Rule is
    "identity:get_user": [["rule:admin_required", "domain_id:%(target.user.domain_id)s"]],

Revision history for this message
Sergii Kashaba (skashaba) said : 		#3

I finally get my things workable using curl,
There is one thing that was bit unclear from the documentation - query filters provided with the url are part of the target.
And also policy.json sample for V3 api has some issues. After fixing everything works fine for my purpose. Guys - you'd better fix openstack client for domains instead of changing tenant_id back to project_id (was it in essex first time?) :).

Revision history for this message
Sergii Kashaba (skashaba) said : 		#4

Link where I described details 'how the problem was solved'
http://www.mirantis.com/blog/manage-openstack-projects-using-domains-havana/