← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #79824

[Bug 1842397] [NEW] Possibility for project level roles ?

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Hi Team,

I want to create project level roles, where this role should allow
granting child-project management permissions to a user. It should allow
a bearer of the role to create, update and list child-projects
underneath a common parent project (the role-assignment of the user
would be attached to the parent project).

i added the below to policy.json

"admin_and_matching_parent_project_id": "rule:admin_required and domain_id:%(project.domain_id)s and parent_id:%(project.parent_id)s",
"identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id or rule:admin_and_matching_parent_project_id or role:project_admin",

Below are my concerns:
1. the user should be part of admin project ? else i get The request you have made requires authentication. (HTTP 401)
2. How to restrict project creation to a specific parent project ? Does it work in production ?

Do i create a parent_project_id column as mentioned in 
https://bugzilla.redhat.com/show_bug.cgi?id=1235222
https://specs.openstack.org/openstack/keystone-specs/specs/juno/hierarchical_multitenancy.html

Any suggestions how to fix the above ?

Regards,
Rajiv

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1842397

Title:
  Possibility for project level roles ?

Status in OpenStack Identity (keystone):
  New

Bug description:
  Hi Team,

  I want to create project level roles, where this role should allow
  granting child-project management permissions to a user. It should
  allow a bearer of the role to create, update and list child-projects
  underneath a common parent project (the role-assignment of the user
  would be attached to the parent project).

  i added the below to policy.json

  "admin_and_matching_parent_project_id": "rule:admin_required and domain_id:%(project.domain_id)s and parent_id:%(project.parent_id)s",
  "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id or rule:admin_and_matching_parent_project_id or role:project_admin",

  Below are my concerns:
  1. the user should be part of admin project ? else i get The request you have made requires authentication. (HTTP 401)
  2. How to restrict project creation to a specific parent project ? Does it work in production ?

  Do i create a parent_project_id column as mentioned in 
  https://bugzilla.redhat.com/show_bug.cgi?id=1235222
  https://specs.openstack.org/openstack/keystone-specs/specs/juno/hierarchical_multitenancy.html

  Any suggestions how to fix the above ?

  Regards,
  Rajiv

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1842397/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next