[openstack-dev] [Horizon] Project list with turned-on policy in Keystone

Yaguang Tang yaguang.tang at canonical.com
Mon May 5 11:30:05 UTC 2014


I think this is an common requirement for users who want to keystone v3. I
filed a blueprint for it
https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.


2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk <roman.bodnarchuk at indigitus.ch>:

>  Hello,
>
> As far as I can tell, Horizon uses python-openstack-auth to authenticate
> users.  In the same time, openstack_auth.KeystoneBackend.authenticate
> method generates only project scoped tokens.
>
> After enabling policy checks in Keystone, I tried to view a list of all
> projects on Admin panel and got "*Error: *Unauthorized: Unable to
> retrieve project list." on dashboard and the next in Keystone log:
>
> enforce identity:list_projects: {'project_id':
> u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
> u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
> ...
> WARNING keystone.common.wsgi [-] You are not authorized to perform the
> requested action, identity:list_projects.
>
> This is expected, since user's token is scoped to project, and no access
> to domain-wide resources should be allowed.
>
> How to work-around this?  Is it possible to use policy checks on Keystone
> side while working with Horizon?
>
> I am using stable/icehouse and Keystone API v3.
>
> Thanks,
> Roman
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Tang Yaguang

Canonical Ltd. | www.ubuntu.com | www.canonical.com
Mobile:  +86 152 1094 6968
gpg key: 0x187F664F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140505/a6ba3a8b/attachment-0001.html>


More information about the OpenStack-dev mailing list