<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Trebuchet MS";
panose-1:2 11 6 3 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.hoenzb
{mso-style-name:hoenzb;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Horizon needs to support domain scoped token for this to work. I don’t think it is yet there.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><a href="https://review.openstack.org/#/c/148082/39">https://review.openstack.org/#/c/148082/39</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">https://review.openstack.org/#/c/141153/<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Haneef<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Lei Zhang [mailto:zhang.lei.fly@gmail.com]
<br>
<b>Sent:</b> Wednesday, March 11, 2015 7:33 PM<br>
<b>To:</b> openstack; OpenStack Development Mailing List<br>
<b>Subject:</b> [openstack-dev] [Horizon][Keystone] Failed to set up keystone v3 api for horizon<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">is there anyone tryed this and successfully?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Mon, Mar 9, 2015 at 4:25 PM, Lei Zhang <<a href="mailto:zhang.lei.fly@gmail.com" target="_blank">zhang.lei.fly@gmail.com</a>> wrote:<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">Hi guys,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">I am setting up the keytone v3 api. Now I meet a issue about the `cloud_admin` policy.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">Base on the <a href="http://www.florentflament.com/blog/setting-keystone-v3-domains.html" target="_blank">http://www.florentflament.com/blog/setting-keystone-v3-domains.html</a> article,
I modify the cloud_admin policy to <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">```<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">"cloud_admin": "rule:admin_required and domain_id:ef0d30167f744401a0cbfcc938ea7d63",</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">```<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">But the cloud_admin don't work as expected. I failed to open all the identity panel ( like
<a href="http://%3chost%3e/horizon/identity/domains/">http://<host>/horizon/identity/domains/</a>)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">Horizon tell me</span>" Error: Unable to retrieve project list."<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">And keystone log warning: <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">```<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">2015-03-09 16:00:06.423 9415 DEBUG keystone.policy.backends.rules [-] enforce identity:list_user_projects: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'6433222efd78459bb70ad9adbcfac418',
'roles': [u'_member_', u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=DWsSa6yYSWi0ht9E7q4uhw, audit_chain_id=w_zLBBeFQ82KevtJrdKIJw) at 0x7f4503fab3c8>, 'project_id': u'4d170baaa89b4e46b239249eb5ec6b00',
'trust_id': None}, enforce /usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:100</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">2015-03-09 16:00:06.061 9410 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.) </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">```<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"></span><span style="font-family:"Trebuchet MS",sans-serif">I make some debug and found that, the root cause is that the `context` variable in keystone has no `domain_id` field( like the above
keystone log). So the `cloud_admin` rule failed.</span><span style="font-family:"Arial",sans-serif"></span><span style="font-family:"Trebuchet MS",sans-serif"> if i change the `cloud_admin` to following. It works as expected. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">```<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">"cloud_admin": "rule:admin_required and user_id:6433222efd78459bb70ad9adbcfac418",</span><span style="font-family:"Arial",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">```<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">I found that in the keystone code[0], the domain_id only exist when it is a domain scope. But i believe that the horizon login token is a project one( I am not very sure this)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">```<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"> if token.project_scoped:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"> auth_context['project_id'] = token.project_id<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"> elif token.domain_scoped:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"> auth_context['domain_id'] = token.domain_id<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"> else:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"> LOG.debug('RBAC: Proceeding without project or domain scope')<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">```<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">Is it a bug? or some wrong configuration? <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">Following is my configuration.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">```<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New""># /etc/keystone/keystone.conf</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">[DEFAULT]</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">debug=true</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">verbose=true</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">log_dir=/var/log/keystone</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">[assignment]</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">driver = keystone.assignment.backends.sql.Assignment </span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">[database]</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">connection=mysql://xxxx:xxxx@controller/keystone</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">[identity]</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">driver=keystone.identity.backends.sql.Identity</span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">[memcache]</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">servers=controller1:11211,controller2:11211,controller3:1121</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">[token]</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">provider=keystone.token.providers.uuid.Provider</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">```<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">```<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New""># /etc/openstack-dashboard/local_settings.py ( partly )</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">POLICY_FILES_PATH = "/etc/openstack-dashboard/"</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">POLICY_FILES = {</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New""> 'identity': 'keystone_policy.json',</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">}</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">OPENSTACK_HOST = "127.0.0.1"</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">OPENSTACK_KEYSTONE_URL = "<a href="http://%25s:5000/v3">http://%s:5000/v3</a>" % OPENSTACK_HOST</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">OPENSTACK_API_VERSIONS = {</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New""> "data_processing": 1.1,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New""> "identity": 3,</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New""> "volume": 2</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">}</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Courier New"">OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'admin'</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">``` <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif"><o:p> </o:p></span></p>
</div>
</div>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-family:"Arial",sans-serif"></span><span style="font-family:"Trebuchet MS",sans-serif">[0]
<a href="https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58" target="_blank">
https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58</a></span><span style="font-family:"Arial",sans-serif"></span><span style="font-family:"Trebuchet MS",sans-serif"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><span class="hoenzb"><span style="color:#888888">-- <o:p></o:p></span></span></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif;color:#888888">Lei Zhang</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif;color:#888888">Blog:
<a href="http://xcodest.me" target="_blank">http://xcodest.me</a></span><span style="color:#888888"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif;color:#888888">twitter/weibo: @jeffrey4l</span><span style="color:#888888"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Trebuchet MS",sans-serif">Lei Zhang</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">Blog: <a href="http://xcodest.me" target="_blank">
http://xcodest.me</a></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Trebuchet MS",sans-serif">twitter/weibo: @jeffrey4l</span><o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>