yahoo-eng-team team mailing list archive

[Adam Young <1842397@xxxxxxxxxxxxxxxxxx>]

For these kinds of operations, you use role assignment inheritance.  Do
not attempt to enforce policy on parent project ID.

I wrote up an article about this about a year back.  CloudForms is just
the consumer, but the rules are the same.

 https://adam.younglogic.com/2018/02/openstack-hmt-cloudforms/

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1842397

Title:
  Possibility for project level roles ?

Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  Hi Team,

  I want to create project level roles, where this role should allow
  granting child-project management permissions to a user. It should
  allow a bearer of the role to create, update and list child-projects
  underneath a common parent project (the role-assignment of the user
  would be attached to the parent project).

  i added the below to policy.json

  "admin_and_matching_parent_project_id": "rule:admin_required and domain_id:%(project.domain_id)s and parent_id:%(project.parent_id)s",
  "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id or rule:admin_and_matching_parent_project_id or role:project_admin",

  Below are my concerns:
  1. the user should be part of admin project ? else i get The request you have made requires authentication. (HTTP 401)
  2. How to restrict project creation to a specific parent project ? Does it work in production ?

  Do i create a parent_project_id column as mentioned in 
  https://bugzilla.redhat.com/show_bug.cgi?id=1235222
  https://specs.openstack.org/openstack/keystone-specs/specs/juno/hierarchical_multitenancy.html

  Any suggestions how to fix the above ?

  Regards,
  Rajiv

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1842397/+subscriptions