<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13.63636302947998px;font-weight:bold;white-space:nowrap">Roman,</span><br><div><span style="font-family:arial,sans-serif;font-size:13.63636302947998px;font-weight:bold;white-space:nowrap"><br>
</span></div><div><font face="arial, sans-serif"><span style="white-space:nowrap">It's not fully supported, right now domain, project ,user management isn't supported within admin user or domain user, but you can login in with domain user</span></font></div>
<div><font face="arial, sans-serif"><span style="white-space:nowrap">and operate as a normal user.</span></font></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-05-06 16:23 GMT+08:00 Roman Bodnarchuk <span dir="ltr"><<a href="mailto:roman.bodnarchuk@indigitus.ch" target="_blank">roman.bodnarchuk@indigitus.ch</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Hello,<br>
<br>
Does this mean that there is no real support for non-default domains
in Horizon?<br>
<br>
Thanks,<br>
Roman<div><div class="h5"><br>
<br>
<div>On 5/5/2014 2:30 PM, Yaguang Tang
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I think this is an common requirement for users who
want to keystone v3. I filed a blueprint for it <a href="https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac" target="_blank">https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac</a>. </div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014-04-24 23:30 GMT+08:00 Roman
Bodnarchuk <span dir="ltr"><<a href="mailto:roman.bodnarchuk@indigitus.ch" target="_blank">roman.bodnarchuk@indigitus.ch</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Hello,<br>
<br>
As far as I can tell, Horizon uses python-openstack-auth
to authenticate users. In the same time,
openstack_auth.KeystoneBackend.authenticate method
generates only project scoped tokens.<br>
<br>
After enabling policy checks in Keystone, I tried to view
a list of all projects on Admin panel and got "<strong>Error:<span> </span></strong><span>Unauthorized:
Unable to retrieve project list.</span>" on dashboard
and the next in Keystone log:<br>
<br>
<tt>enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [],
'user_id': u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles':
[u'admin']}</tt><tt><br>
</tt><tt>...</tt><tt><br>
</tt><tt>WARNING keystone.common.wsgi [-] You are not
authorized to perform the requested action,
identity:list_projects.</tt><tt> </tt><br>
<br>
This is expected, since user's token is scoped to project,
and no access to domain-wide resources should be allowed.<br>
<br>
How to work-around this? Is it possible to use policy
checks on Keystone side while working with Horizon?<br>
<br>
I am using stable/icehouse and Keystone API v3.<br>
<br>
Thanks,<br>
Roman<br>
</div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr">
<div style="color:rgb(0,0,0);font-family:arial;font-size:small">Tang
Yaguang</div>
<div style="color:rgb(0,0,0);font-family:arial;font-size:small">
<br>
</div>
<div style="color:rgb(0,0,0);font-family:arial;font-size:small">Canonical
Ltd. | <a href="http://www.ubuntu.com/" target="_blank">www.ubuntu.com</a> | <a href="http://www.canonical.com/" target="_blank">www.canonical.com</a></div>
<div style="color:rgb(0,0,0);font-family:arial;font-size:small">Mobile:
<a href="tel:%2B86%20152%201094%206968" value="+8615210946968" target="_blank">+86 152 1094 6968</a></div>
<div style="color:rgb(0,0,0);font-family:arial;font-size:small">gpg
key: 0x187F664F</div>
<div style="color:rgb(0,0,0);font-family:arial;font-size:small">
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
OpenStack-dev mailing list
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div dir="ltr"><div style="color:rgb(0,0,0);font-family:arial;font-size:small">Tang Yaguang</div><div style="color:rgb(0,0,0);font-family:arial;font-size:small">
<br></div><div style="color:rgb(0,0,0);font-family:arial;font-size:small">Canonical Ltd. | <a href="http://www.ubuntu.com/" target="_blank">www.ubuntu.com</a> | <a href="http://www.canonical.com/" target="_blank">www.canonical.com</a></div>
<div style="color:rgb(0,0,0);font-family:arial;font-size:small">Mobile: +86 152 1094 6968</div><div style="color:rgb(0,0,0);font-family:arial;font-size:small">gpg key: 0x187F664F</div><div style="color:rgb(0,0,0);font-family:arial;font-size:small">
</div></div>
</div>