[openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Roman Bodnarchuk
roman.bodnarchuk at indigitus.ch
Thu Apr 24 15:30:57 UTC 2014
Hello,
As far as I can tell, Horizon uses python-openstack-auth to authenticate
users. In the same time, openstack_auth.KeystoneBackend.authenticate
method generates only project scoped tokens.
After enabling policy checks in Keystone, I tried to view a list of all
projects on Admin panel and got "*Error:*Unauthorized: Unable to
retrieve project list." on dashboard and the next in Keystone log:
enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
...
WARNING keystone.common.wsgi [-] You are not authorized to perform the
requested action, identity:list_projects.
This is expected, since user's token is scoped to project, and no access
to domain-wide resources should be allowed.
How to work-around this? Is it possible to use policy checks on
Keystone side while working with Horizon?
I am using stable/icehouse and Keystone API v3.
Thanks,
Roman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140424/f61f5335/attachment.html>
More information about the OpenStack-dev
mailing list