[horizon][keystone][dev] Cross-domain administrators and context-switching

Lance Bragstad lbragstad at gmail.com
Tue Jan 15 14:44:55 UTC 2019

On Tue, Jan 15, 2019 at 7:59 AM Robert Donovan <rob at cleansafecloud.com>

> Hello,
> We run a cloud service with multiple domains (one per tenant) and offer
> services on top which can, amongst other things, involve administrators
> creating instances, snapshots etc. on behalf to those tenants. My
> understanding is that, in order to achieve this with Horizon, we currently
> have to create a separate admin user in each domain with a role that allows
> those abilities. The administrator then needs to log into that domain using
> the new user to perform the required actions.
> Firstly, is that assumption correct? Or is it possible use the same user
> credentials across domain boundaries?

I'm not sure why separate users would be needed in this case, but I could
be missing something from the horizon side. Does this not work today with
Horizon? Or are you using the CLIs to perform these actions?

> Secondly, have there ever been discussions around the “Set Domain Context”
> function having a wider effect to scope the whole dashboard to that
> particular domain, including the project panels? Are there potential issues
> with this as a proposal?

Reading this as someone who works on keystone, this sounds like getting a
new token in keystone scoped to a different domain you have authorization
on via a role assignment. Based on a quick search though, there appears to
be a few gaps remaining in horizon for domain support [0][1].

[0] https://bugs.launchpad.net/horizon/+bug/1600195
[1] https://bugs.launchpad.net/horizon/+bug/1706879

> Many thanks,
> Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190115/a3df8bf6/attachment.html>

More information about the openstack-discuss mailing list