[horizon][keystone][dev] Cross-domain administrators and context-switching
lbragstad at gmail.com
Tue Jan 15 14:44:55 UTC 2019
On Tue, Jan 15, 2019 at 7:59 AM Robert Donovan <rob at cleansafecloud.com>
> We run a cloud service with multiple domains (one per tenant) and offer
> services on top which can, amongst other things, involve administrators
> creating instances, snapshots etc. on behalf to those tenants. My
> understanding is that, in order to achieve this with Horizon, we currently
> have to create a separate admin user in each domain with a role that allows
> those abilities. The administrator then needs to log into that domain using
> the new user to perform the required actions.
> Firstly, is that assumption correct? Or is it possible use the same user
> credentials across domain boundaries?
I'm not sure why separate users would be needed in this case, but I could
be missing something from the horizon side. Does this not work today with
Horizon? Or are you using the CLIs to perform these actions?
> Secondly, have there ever been discussions around the “Set Domain Context”
> function having a wider effect to scope the whole dashboard to that
> particular domain, including the project panels? Are there potential issues
> with this as a proposal?
Reading this as someone who works on keystone, this sounds like getting a
new token in keystone scoped to a different domain you have authorization
on via a role assignment. Based on a quick search though, there appears to
be a few gaps remaining in horizon for domain support .
> Many thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openstack-discuss