<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
Does this mean that there is no real support for non-default domains
in Horizon?<br>
<br>
Thanks,<br>
Roman<br>
<br>
<div class="moz-cite-prefix">On 5/5/2014 2:30 PM, Yaguang Tang
wrote:<br>
</div>
<blockquote
cite="mid:CA+GwYPfmBJvm=J1vFX8eAfbOHQVk927QvbmMO3iBNP0ewG-RJg@mail.gmail.com"
type="cite">
<div dir="ltr">I think this is an common requirement for users who
want to keystone v3. I filed a blueprint for it <a
moz-do-not-send="true"
href="https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac">https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac</a>. </div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-04-24 23:30 GMT+08:00 Roman
Bodnarchuk <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:roman.bodnarchuk@indigitus.ch"
target="_blank">roman.bodnarchuk@indigitus.ch</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hello,<br>
<br>
As far as I can tell, Horizon uses python-openstack-auth
to authenticate users. In the same time,
openstack_auth.KeystoneBackend.authenticate method
generates only project scoped tokens.<br>
<br>
After enabling policy checks in Keystone, I tried to view
a list of all projects on Admin panel and got "<strong
style="font-weight:bold;color:rgb(185,74,72);font-family:'Helvetica
Neue',Helvetica,Arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:18px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(242,222,222)">Error:<span> </span></strong><span
style="color:rgb(185,74,72);font-family:'Helvetica
Neue',Helvetica,Arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:18px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(242,222,222);display:inline!important;float:none">Unauthorized:
Unable to retrieve project list.</span>" on dashboard
and the next in Keystone log:<br>
<br>
<tt>enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [],
'user_id': u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles':
[u'admin']}</tt><tt><br>
</tt><tt>...</tt><tt><br>
</tt><tt>WARNING keystone.common.wsgi [-] You are not
authorized to perform the requested action,
identity:list_projects.</tt><tt> </tt><br>
<br>
This is expected, since user's token is scoped to project,
and no access to domain-wide resources should be allowed.<br>
<br>
How to work-around this? Is it possible to use policy
checks on Keystone side while working with Horizon?<br>
<br>
I am using stable/icehouse and Keystone API v3.<br>
<br>
Thanks,<br>
Roman<br>
</div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">
<div
style="color:rgb(0,0,0);font-family:arial;font-size:small">Tang
Yaguang</div>
<div
style="color:rgb(0,0,0);font-family:arial;font-size:small">
<br>
</div>
<div
style="color:rgb(0,0,0);font-family:arial;font-size:small">Canonical
Ltd. | <a moz-do-not-send="true"
href="http://www.ubuntu.com/" target="_blank">www.ubuntu.com</a> | <a
moz-do-not-send="true" href="http://www.canonical.com/"
target="_blank">www.canonical.com</a></div>
<div
style="color:rgb(0,0,0);font-family:arial;font-size:small">Mobile:
+86 152 1094 6968</div>
<div
style="color:rgb(0,0,0);font-family:arial;font-size:small">gpg
key: 0x187F664F</div>
<div
style="color:rgb(0,0,0);font-family:arial;font-size:small">
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>