<div dir="ltr">I think this is an common requirement for users who want to keystone v3. I filed a blueprint for it <a href="https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac">https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac</a>. </div>
<div class="gmail_extra"><br><br><div class="gmail_quote">2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk <span dir="ltr"><<a href="mailto:roman.bodnarchuk@indigitus.ch" target="_blank">roman.bodnarchuk@indigitus.ch</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
As far as I can tell, Horizon uses python-openstack-auth to
authenticate users. In the same time,
openstack_auth.KeystoneBackend.authenticate method generates only
project scoped tokens.<br>
<br>
After enabling policy checks in Keystone, I tried to view a list of
all projects on Admin panel and got "<strong style="font-weight:bold;color:rgb(185,74,72);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:18px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(242,222,222)">Error:<span> </span></strong><span style="color:rgb(185,74,72);font-family:'Helvetica Neue',Helvetica,Arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:18px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(242,222,222);display:inline!important;float:none">Unauthorized: Unable to retrieve project list.</span>"
on dashboard and the next in Keystone log:<br>
<br>
<tt>enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}</tt><tt><br>
</tt><tt>...</tt><tt><br>
</tt><tt>WARNING keystone.common.wsgi [-] You are not authorized to
perform the requested action, identity:list_projects.</tt><tt> </tt><br>
<br>
This is expected, since user's token is scoped to project, and no
access to domain-wide resources should be allowed.<br>
<br>
How to work-around this? Is it possible to use policy checks on
Keystone side while working with Horizon?<br>
<br>
I am using stable/icehouse and Keystone API v3.<br>
<br>
Thanks,<br>
Roman<br>
</div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div style="color:rgb(0,0,0);font-family:arial;font-size:small">Tang Yaguang</div><div style="color:rgb(0,0,0);font-family:arial;font-size:small">
<br></div><div style="color:rgb(0,0,0);font-family:arial;font-size:small">Canonical Ltd. | <a href="http://www.ubuntu.com/" target="_blank">www.ubuntu.com</a> | <a href="http://www.canonical.com/" target="_blank">www.canonical.com</a></div>
<div style="color:rgb(0,0,0);font-family:arial;font-size:small">Mobile: +86 152 1094 6968</div><div style="color:rgb(0,0,0);font-family:arial;font-size:small">gpg key: 0x187F664F</div><div style="color:rgb(0,0,0);font-family:arial;font-size:small">
</div></div>
</div>