OpenStack Compute (nova)

Behaviour of all_tenants with Keystone V3 Domains?

Asked by justinsb

How is server listing with all_tenants supposed to work with Keystone domains? If I'm an admin of Domain1, I'm likely not an admin of Domain2. So, presumably all_tenants in a Domain1 project should list all projects under Domain1, but not those under Domain2.

But I thought nova wasn't aware of Keystone domains (?)...

How is this supposed to work?

Question information

Language:
English Edit question
Status:
Answered
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Matt Riedemann (mriedem) said : 		#1

Can you post the question to the mailing list?

https://wiki.openstack.org/wiki/Mailing_Lists#General_List

Revision history for this message
David Lyle (david-lyle) said : 		#2

Keystone doesn't currently have a role for Domain admin. You are either admin (super admin) or member. I agree that this is highly problematic. The behavior of all_tenants does not honor domain boundaries as there is no built in role there.

Can you help with this problem?

Provide an answer of your own, or ask justinsb for more information if necessary.

To post a message you must log in.