Questions[openstack-keystone](server)

I have an openstack victoria cloud setup. I am using default policy of keystone and have not made any changes to that policy.

I have created a test user names testuser in openstack. I assigned it primary project as testproject and admin role. But when I login as testuser, I am able to access the admin project as well. Its like my scope is not limited to testproject.

According to the documentation

https://docs.openstack.org/keystone/latest/admin/service-api-protection.html

Project administrators can only view and modify data within the project they have authorization on. They’re able to view information about their projects and set tags on their projects. They’re not allowed to view system or domain resources, as that would violate the tenancy of their role assignment. Since the majority of the resources in keystone’s API are system and domain-specific, project administrators don’t have much authorization.

openstack role assignment list --names --project testproject --role admin
+-------+------------------+-------+---------------------+--------+--
| Role  | User             | Group | Project             | Domain | System | Inherited |
+-------+------------------+-------+---------------------+--------+--
| admin | testuser@Default |       | testproject@Default |        |        | False     |
+-------+------------------+-------+---------------------+--------+--

# openstack role assignment list --names --project admin
+-------+---------------+-------+---------------+--------+--------+--
| Role  | User          | Group | Project       | Domain | System | Inherited |
+-------+---------------+-------+---------------+--------+--------+--
| admin | admin@Default |       | admin@Default |        |        | False     |
+-------+---------------+-------+---------------+--------+--------+--

What should I do to limit user to the scope of its assigned primary project?

It seems theoretically possible for me to ssh to my instance in OpenStack through credentials and instance id/network IP(Not floating IP) etc. Is it possible, am I missing something? Is it simply a feature not yet supported?

I think most of the things have a separate ID and a separate Name in Openstack (Users, Projects, virtual machines, etc). Why don't identity providers have separate IDs and Names? Are there other objects like this? Is there a rule why specific entities must have both IDs and Names while others can live without a separate Name?

$ openstack identity provider list
+----------------+---------+-------------+
| ID             | Enabled | Description |
+----------------+---------+-------------+
| cloud1         | True    | None        |
+----------------+---------+-------------+

I am configuring Glance to authenticate against Keystone. It works but I am unsure exactly how some of the authentication options interact.

I started with the configuring glance documentation, but this doesn't actually document any of these options. I found the authentication documentation, which discusses some of them, but does not actually document auth_uri.

The example glance configuration in the OpenStack Install and Deploy Manual looks like this:

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 127.0.0.1
service_port = 5000
auth_host = 127.0.0.1
auth_port = 35357
auth_protocol = http
auth_uri = http://127.0.0.1:5000/
admin_token = 012345SECRET99TOKEN012345

The authentication documentation says:

Those variables beginning with auth_ point to the Keystone Admin service. This information is used by the middleware to actually query Keystone about the validity of the authentication tokens.

Okay. So how does auth_uri interact with auth_host, auth_port, and auth_protocol? Can one simply provide auth_uri and discard the other options? Is there a corresponding service_uri configuration option? And why does the port in auth_uri correspond to the service_port in the above configuration instead of the auth_port?

Keystone refers to port 35357 as the "admin" port, which to me suggests that this would only be required for administration of keystone (creating/deleting services, tenants, etc). Glance instead refers to this as the "auth" port, which suggests a different use. What exactly is provided by the service on port 35357 that is not provided by the service on port 5000?

I followed the guide on hastexo to create an OpenStack Cloud. The Keystone service and the are supposed to run on separate machines. However, when I wanted to run glance-api in the console for debugging I had the following error:

ERROR: Unable to load glance-api-keystone from configuration file /etc/glance/glance-api-paste.ini. Got: ImportError('No module named keystone.middleware.auth_token',)

So the Glance API isn't running. I'm running Ubuntu 12.04 LTS and Openstack Essex.