<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Hello,<br>
    <br>
    Does this mean that there is no real support for non-default domains
    in Horizon?<br>
    <br>
    Thanks,<br>
    Roman<br>
    <br>
    <div class="moz-cite-prefix">On 5/5/2014 2:30 PM, Yaguang Tang
      wrote:<br>
    </div>
    <blockquote
cite="mid:CA+GwYPfmBJvm=J1vFX8eAfbOHQVk927QvbmMO3iBNP0ewG-RJg@mail.gmail.com"
      type="cite">
      <div dir="ltr">I think this is an common requirement for users who
        want to keystone v3. I filed a blueprint for it <a
          moz-do-not-send="true"
          href="https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac">https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac</a>. </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">2014-04-24 23:30 GMT+08:00 Roman
          Bodnarchuk <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:roman.bodnarchuk@indigitus.ch"
              target="_blank">roman.bodnarchuk@indigitus.ch</a>></span>:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Hello,<br>
              <br>
              As far as I can tell, Horizon uses python-openstack-auth
              to authenticate users.  In the same time,
              openstack_auth.KeystoneBackend.authenticate method
              generates only project scoped tokens.<br>
              <br>
              After enabling policy checks in Keystone, I tried to view
              a list of all projects on Admin panel and got "<strong
                style="font-weight:bold;color:rgb(185,74,72);font-family:'Helvetica
Neue',Helvetica,Arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;letter-spacing:normal;line-height:18px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(242,222,222)">Error:<span> </span></strong><span
                style="color:rgb(185,74,72);font-family:'Helvetica
Neue',Helvetica,Arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:18px;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(242,222,222);display:inline!important;float:none">Unauthorized:
                Unable to retrieve project list.</span>" on dashboard
              and the next in Keystone log:<br>
              <br>
              <tt>enforce identity:list_projects: {'project_id':
                u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [],
                'user_id': u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles':
                [u'admin']}</tt><tt><br>
              </tt><tt>...</tt><tt><br>
              </tt><tt>WARNING keystone.common.wsgi [-] You are not
                authorized to perform the requested action,
                identity:list_projects.</tt><tt> </tt><br>
              <br>
              This is expected, since user's token is scoped to project,
              and no access to domain-wide resources should be allowed.<br>
              <br>
              How to work-around this?  Is it possible to use policy
              checks on Keystone side while working with Horizon?<br>
              <br>
              I am using stable/icehouse and Keystone API v3.<br>
              <br>
              Thanks,<br>
              Roman<br>
            </div>
            <br>
            _______________________________________________<br>
            OpenStack-dev mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
            <a moz-do-not-send="true"
              href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
              target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div dir="ltr">
          <div
            style="color:rgb(0,0,0);font-family:arial;font-size:small">Tang
            Yaguang</div>
          <div
            style="color:rgb(0,0,0);font-family:arial;font-size:small">
            <br>
          </div>
          <div
            style="color:rgb(0,0,0);font-family:arial;font-size:small">Canonical
            Ltd. | <a moz-do-not-send="true"
              href="http://www.ubuntu.com/" target="_blank">www.ubuntu.com</a> | <a
              moz-do-not-send="true" href="http://www.canonical.com/"
              target="_blank">www.canonical.com</a></div>
          <div
            style="color:rgb(0,0,0);font-family:arial;font-size:small">Mobile:
             +86 152 1094 6968</div>
          <div
            style="color:rgb(0,0,0);font-family:arial;font-size:small">gpg
            key: 0x187F664F</div>
          <div
            style="color:rgb(0,0,0);font-family:arial;font-size:small">
             </div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>