Policies do not support multi domain setups
Bug #1566985 reported by
Bjoern
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
We seem the demand rising in supporting multi domain setups in Openstack to realize requests like
"Customer want's admins per domain" etc.
It seems like we have to alter the policies for at least keystone as laid out at https:/
How's the project thinking about that idea?
To post a comment you must log in.
> How's the project thinking about that idea?
The individual projects? Keystone? oslo.policy? Which project?
Keystone has been talking about admin-ness not being properly scoped for a while. [1] Meanwhile, if you look up domains, there are good examples of using domains in a policy rule. [2]
Do you want OSA to configure multi-domain clouds with configuration and create admins per-domain? If so, you're asking that in a very round-about manner and I'm not certain that's OSA's purpose (which is to deploy OpenStack). Yes part of deploying OpenStack is to create the service users in Keystone, but it really doesn't go much further than that. Something extending OSA could do this work. I'm not convinced OSA needs to support this though (outside maybe allowing for domains to be created with it's keystone library)
[1]: https:/ /bugs.launchpad .net/keystone/ +bug/968696 /wiki.openstack .org/wiki/ Domains
[2]: https:/