OpenStack Identity (keystone)

Keystone-manage bootstrap can't bootstrap domains other than default

Bug #1593542 reported by Shawn Berger
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Opinion
Undecided
Shawn Berger

Bug Description

When using keystone-manage bootstrap, you can't define the domain that you want to bootstrap. It will always work with default. The problem is this doesn't help with a multi-domain environment. An admin user defined in the default domain doesn't have any permissions in other domains. Once a new domain is created a different admin user specific to that domain would need to be created in order to be able to act within it.

If the keystone-manage bootstrap utility could allow bootstrapping of non-default domains then it could facilitate the administration of larger, multi-domain cloud environments without the security concern that arises from the older admin_token method.

Shawn Berger (slberger)
Changed in keystone:
assignee: nobody → Shawn Berger (slberger)
Revision history for this message
Jamie Lennox (jamielennox) wrote :

Are you looking to put the admin project in a different domain or are you looking to have the bootstrap process grant the admin user a role on a domain?

Revision history for this message
Jamie Lennox (jamielennox) wrote :

(both seem like valid problems - just wondering)

Revision history for this message
Shawn Berger (slberger) wrote :

I was looking to be able to essentially create every domain to mirror the default domain, with its own admin.

Revision history for this message
Shawn Berger (slberger) wrote :

I think having the bootstrap process grant the admin user roles in the new domain would probably be the way to go.

Revision history for this message
Steve Martinelli (stevemar) wrote :

so bootstrap is just meant to initialize keystone. why can't the admin user, on the default domain, presumably he's the overall cloud admin, create domains and users and assign them roles accordingly?

i would prefer to not expand the scope of the bootstrap command for what seems like workflow / operational logic

Revision history for this message
Shawn Berger (slberger) wrote :

Jamie showed me this bug https://bugs.launchpad.net/keystone/+bug/968696. It seems that if "admin"-ness becomes scoped then that will make it difficult for an admin in one domain to act within another.

Revision history for this message
David Stanek (dstanek) wrote :

I think this should be marked as WONTFIX. This feature is currently designed to be used when first installing keystone and not for creating new domains.

Changed in keystone:
status: New → Opinion
Revision history for this message
Dolph Mathews (dolph) wrote :

I agree with David. To reiterate / clarify Steve's comment: the bootstrap process is intended to bootstrap only the "root" cloud admin, which you can use to create lesser privileged domain admins using the normal HTTP API, openstackclient, etc.

Revision history for this message
Shawn Berger (slberger) wrote :

Ok, that is fine with me.

Revision history for this message
Shawn Berger (slberger) wrote :

How do I mark it as WONTFIX?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.