← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #59799

[Bug 1649909] [NEW] Domain-defined RBAC

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Hi,

I want to make an external network visible at a keystone domain-wide
scope; I try this:

openstack network rbac create --target-project-domain DOMAIN_ID --action access_as_external --type network NETWORK_ID --target-project '*'
CommandError: No project with a name or ID of '*' exists.

Because it use this call to retrieve project:
http://controller.admin:35357/v3/projects?domain_id=DOMAIN_ID&name=%2A

RBAC specifications only use domain during rbac creation, domain isn't
store in db:

MariaDB [neutron]> desc networkrbacs;
+---------------+--------------+------+-----+---------+-------+
| Field         | Type         | Null | Key | Default | Extra |
+---------------+--------------+------+-----+---------+-------+
| id            | varchar(36)  | NO   | PRI | NULL    |       |
| object_id     | varchar(36)  | NO   | MUL | NULL    |       |
| project_id    | varchar(255) | YES  | MUL | NULL    |       |
| target_tenant | varchar(255) | NO   |     | NULL    |       |
| action        | varchar(255) | NO   | MUL | NULL    |       |
+---------------+--------------+------+-----+---------+-------+

Two questions:
1 Is it possible to create an rbac for all projects using CLI ?
2 Is it planned to use target-project-domain not only at rbac creation but also for filtering target projects ?

Thanks,

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1649909

Title:
  Domain-defined RBAC

Status in neutron:
  New

Bug description:
  Hi,

  I want to make an external network visible at a keystone domain-wide
  scope; I try this:

  openstack network rbac create --target-project-domain DOMAIN_ID --action access_as_external --type network NETWORK_ID --target-project '*'
  CommandError: No project with a name or ID of '*' exists.

  Because it use this call to retrieve project:
  http://controller.admin:35357/v3/projects?domain_id=DOMAIN_ID&name=%2A

  RBAC specifications only use domain during rbac creation, domain isn't
  store in db:

  MariaDB [neutron]> desc networkrbacs;
  +---------------+--------------+------+-----+---------+-------+
  | Field         | Type         | Null | Key | Default | Extra |
  +---------------+--------------+------+-----+---------+-------+
  | id            | varchar(36)  | NO   | PRI | NULL    |       |
  | object_id     | varchar(36)  | NO   | MUL | NULL    |       |
  | project_id    | varchar(255) | YES  | MUL | NULL    |       |
  | target_tenant | varchar(255) | NO   |     | NULL    |       |
  | action        | varchar(255) | NO   | MUL | NULL    |       |
  +---------------+--------------+------+-----+---------+-------+

  Two questions:
  1 Is it possible to create an rbac for all projects using CLI ?
  2 Is it planned to use target-project-domain not only at rbac creation but also for filtering target projects ?

  Thanks,

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1649909/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next