<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <div class="moz-cite-prefix">On 11/01/2016 05:17 PM, Taisto Qvist wrote:<br> </div> <blockquote cite="mid:CANMgGe9AL_1uP0sGbeoD_0qFfQAEejDRTD_jwKu7rAqh1Bxh+A@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div> <div> <div> <div> <div> <div>Hi folks, <br> <br> </div> I've run into a wall with making openstack domain auth working, and I dont know where to get help, so I am trying here. I've created a question on:<br> <br> <a moz-do-not-send="true" href="https://ask.openstack.org/en/question/98429/project-specific-admin-unable-to-list-users-or-use-horizon/">https://ask.openstack.org/en/question/98429/project-specific-admin-unable-to-list-users-or-use-horizon/</a><br> <br> </div> ..but no-one seems to be able to help.<br> <br> </div> Since I wrote that, I've gotten as far as creating a working cloud-wide admin(the policy trigger for cloud_admin matching against domain_id, didnt seem to work for the default domain...?), and that user is now working fine as super-mega-admin.<br> </div> </div> </div> </div> </div> </div> </div> </div> </blockquote> Can you post what your cloud_admin rule looks like?<br> <br> <br> <blockquote cite="mid:CANMgGe9AL_1uP0sGbeoD_0qFfQAEejDRTD_jwKu7rAqh1Bxh+A@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div> <div> <div><br> </div> But my old admin user, that has admin rights only in the default domain, admin project, cant list users, or projects, in the default domain.<br> </div> </div> </div> </div> </div> </div> </div> </blockquote> <br> admin_and_matching_domain_id: But his domain must not be matching: If he has a domain scoped token for another domain, it will not be valid for the default.<br> <br> <blockquote cite="mid:CANMgGe9AL_1uP0sGbeoD_0qFfQAEejDRTD_jwKu7rAqh1Bxh+A@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div> <div> <div> <div><br> </div> And sureley he should be able to, with the rules:<br> <br> "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",<br> "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", <br> <br> </div> I've tried to find comprehensive and up2date references on how to read the policy.json syntax, but no success so I am unsure on how to interpret the rule exactly though.<br> </div> I tried changing to:<br> <br> "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(<i>target</i>.domain_id)s",<br> </div> </div> </div> </div> </blockquote> <br> Have you been using the CLI to test your changes? It might greatly simplify things. I'd also recommend using pdb and actually stepping through the code executed: you can learn a lot this way.<br> <br> <blockquote cite="mid:CANMgGe9AL_1uP0sGbeoD_0qFfQAEejDRTD_jwKu7rAqh1Bxh+A@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div> <div><br> </div> after looking at the rule for:<br> <br> "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(<a moz-do-not-send="true" href="http://target.project.id">target.project.id</a>)s",<br> </div> </div> </div> </blockquote> <br> Again, in this rule, you have explicit matching. The token either needs to match the domain ID or the project ID.<br> <br> <blockquote cite="mid:CANMgGe9AL_1uP0sGbeoD_0qFfQAEejDRTD_jwKu7rAqh1Bxh+A@mail.gmail.com" type="cite"> <div dir="ltr"> <div> <div><br> </div> But it didnt help. During the failure, I can see keystone logging:<br> <br> 2016-11-01 22:16:24.521 4824 INFO keystone.common.wsgi [req-46e3301f-f234-434b-a013-5aa2297b6119 admin_User admin_Prj - default default] GET <a moz-do-not-send="true" href="http://172.16.12.100:35357/v3/projects/admin_Prj">http://172.16.12.100:35357/v3/projects/admin_Prj</a><br> <br> </div> <div>(where admin_Prj/User is the UUID's regexped)<br> </div> <div><br> </div> What is wrong? Where can I learn how to do this??? <br> </div> <br> <fieldset class="mimeAttachmentHeader"></fieldset> <br> <pre wrap="">_______________________________________________ rdo-list mailing list <a class="moz-txt-link-abbreviated" href="mailto:rdo-list@redhat.com">rdo-list@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/rdo-list">https://www.redhat.com/mailman/listinfo/rdo-list</a> To unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:rdo-list-unsubscribe@redhat.com">rdo-list-unsubscribe@redhat.com</a></pre> </blockquote> <p><br> </p> </body> </html>