I have a question about this specific feature (use of the is_project_admin flag in the tokens), and most of all the ability to leverage that in Keystone policy and the other service policy files.
I’m running this build:
openstack-keystone-9.0.0.0b4-0.20160304193251.9d6ab5d.el7.centos.noarch
In my keystone policy file, I did this:
"admin_required": "role:admin and is_admin_project",
….
"identity:list_domains": "rule:admin_required",
I set up the two variables (admin_project_domain_name and admin_project_name) in keystone.conf, and I can obtain a token for a user in the admin project. In the token response, I can see the is_admin_project: true flag which is good.
Somehow though, I get 403 when I try a get /v3/domains with that token.
I’m just looking to see if the code for the policies to leverage that flag is already in in build 9.0.0.0b4?
From the discussion above, it appears policy changes in the other services has not been merged yet so I'm sticking to just experimenting with Keystone's apis themselves first.
I have a question about this specific feature (use of the is_project_admin flag in the tokens), and most of all the ability to leverage that in Keystone policy and the other service policy files.
I’m running this build: keystone- 9.0.0.0b4- 0.2016030419325 1.9d6ab5d. el7.centos. noarch
openstack-
In my keystone policy file, I did this:
"admin_required": "role:admin and is_admin_project", list_domains" : "rule:admin_ required" ,
….
"identity:
I set up the two variables (admin_ project_ domain_ name and admin_project_name) in keystone.conf, and I can obtain a token for a user in the admin project. In the token response, I can see the is_admin_project: true flag which is good.
Somehow though, I get 403 when I try a get /v3/domains with that token.
I’m just looking to see if the code for the policies to leverage that flag is already in in build 9.0.0.0b4?
From the discussion above, it appears policy changes in the other services has not been merged yet so I'm sticking to just experimenting with Keystone's apis themselves first.