I looked into this quite a bit tonight and it looks like this was a misunderstanding on my part of how a Domain Admin should be defined - specifically without a default project defined for the Domain Admin user. Correct me if I'm wrong, though.
It does not explain the difference I saw between Horizon's access controls and the OpenStack CLI, though.
This is an example of what I used to successfully create a Domain Admin account that does NOT have access to see other projects or domains:
# Run as Cloud Admin
domain create TestDomain
user create --domain TestDomain --password test TestDomainAdmin
role add --domain TestDomain --user TestDomainAdmin admin
I can then create a project with this user as well as a user associated with the project in the new domain:
# Run as Domain Admin - logged-in using domain-scoped token with the OpenStackClient
# Must specify domain ID, not domain name (authorization error otherwise)?
project create --domain 492537d206754d0b9ccde50067df6d03 TestProject
project list --domain 492537d206754d0b9ccde50067df6d03
user create --domain 492537d206754d0b9ccde50067df6d03 --password test TestDomainUser
role add --domain 492537d206754d0b9ccde50067df6d03 --user e207992708c1426faa21779c730f73d1 _member_
role add --project 59c88317254044d6956b88255d16cc11 --user e207992708c1426faa21779c730f73d1 _member_
I looked into this quite a bit tonight and it looks like this was a misunderstanding on my part of how a Domain Admin should be defined - specifically without a default project defined for the Domain Admin user. Correct me if I'm wrong, though.
It does not explain the difference I saw between Horizon's access controls and the OpenStack CLI, though.
This is an example of what I used to successfully create a Domain Admin account that does NOT have access to see other projects or domains:
# Run as Cloud Admin
domain create TestDomain
user create --domain TestDomain --password test TestDomainAdmin
role add --domain TestDomain --user TestDomainAdmin admin
I can then create a project with this user as well as a user associated with the project in the new domain:
# Run as Domain Admin - logged-in using domain-scoped token with the OpenStackClient b9ccde50067df6d 03 TestProject b9ccde50067df6d 03 b9ccde50067df6d 03 --password test TestDomainUser b9ccde50067df6d 03 --user e207992708c1426 faa21779c730f73 d1 _member_ 6956b88255d16cc 11 --user e207992708c1426 faa21779c730f73 d1 _member_
# Must specify domain ID, not domain name (authorization error otherwise)?
project create --domain 492537d206754d0
project list --domain 492537d206754d0
user create --domain 492537d206754d0
role add --domain 492537d206754d0
role add --project 59c88317254044d
Eric