Keystone policy.v3cloudsample.json doesn't allow proper resources management
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Low
|
Florent Flament |
Bug Description
When using the current `̀ etc/policy.
Keystone's ``/etc/
admin_domain_id`` properly configured), the following issues arise:
* The cloud_admin user cannot manage users in other domains that the `̀
cloud`` domain. For instance, once the cloud_admin created a brand
new domain, he cannot create a user in this domain.
* The cloud_admin cannot manage roles on other domains that the `̀
cloud`̀ domain. For instance, if the cloud_admin managed to create a
domain and a user in this new domain, he cannot grant the `admin`
role on the domain to this new user.
* A domain administrator (user with the ``admin`` role on the domain)
cannot manage roles on projects in its own domain. For instance, a
domain administrator can create a project and a user in his domain,
but he cannot grant the Member role on the project to the new user.
With the following additional rules, one would have an operational
Identity v3 API enabled setting:
* The cloud_admin should be allowed to manage users in any domain.
* The cloud_admin should be allowed to manage roles on any domain.
* Domain administrators should be allowed to manage roles on any
project in their own domain.
Changed in keystone: | |
assignee: | nobody → Florent Flament (florent-flament-ext) |
Changed in keystone: | |
importance: | Undecided → Low |
Changed in keystone: | |
milestone: | none → icehouse-3 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | icehouse-3 → 2014.1 |
Fix proposed to branch: master /review. openstack. org/65510
Review: https:/