yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #93048
[Bug 2028409] Re: Add domain_id config option to remove the need of cloud admin user when generating dynamic credentials
** Also affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2028409
Title:
Add domain_id config option to remove the need of cloud admin user
when generating dynamic credentials
Status in OpenStack Identity (keystone):
New
Status in tempest:
In Progress
Bug description:
Currently generating dynamic credentials requires listing domains and
filter the result by domain name to get the current/admin domain
object from Keystone API (through `/v3/domains` API). And as stated in
the default keystone policy, listing domains requires cloud_admin
privilege, which means we cannot use a domain admin to create test
accounts with tempest.
```
"identity:list_domains": "rule:cloud_admin",
```
A better behavior would be using `/v3/domains/{domain_id}` API to get
the domain object directly so that only a domain admin user is needed
to generate test accounts. The benefit of reducing required user
privileges is isolating test environment. This requires adding an
additional domain_id configuration option in [auth] section.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2028409/+subscriptions