[openstack-dev] [Horizon] Project list with turned-on policy in Keystone

Roman Bodnarchuk roman.bodnarchuk at indigitus.ch
Tue May 6 08:23:58 UTC 2014


Hello,

Does this mean that there is no real support for non-default domains in 
Horizon?

Thanks,
Roman

On 5/5/2014 2:30 PM, Yaguang Tang wrote:
> I think this is an common requirement for users who want to keystone 
> v3. I filed a blueprint for it 
> https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.
>
>
> 2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk 
> <roman.bodnarchuk at indigitus.ch <mailto:roman.bodnarchuk at indigitus.ch>>:
>
>     Hello,
>
>     As far as I can tell, Horizon uses python-openstack-auth to
>     authenticate users.  In the same time,
>     openstack_auth.KeystoneBackend.authenticate method generates only
>     project scoped tokens.
>
>     After enabling policy checks in Keystone, I tried to view a list
>     of all projects on Admin panel and got "*Error:*Unauthorized:
>     Unable to retrieve project list." on dashboard and the next in
>     Keystone log:
>
>     enforce identity:list_projects: {'project_id':
>     u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
>     u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
>     ...
>     WARNING keystone.common.wsgi [-] You are not authorized to perform
>     the requested action, identity:list_projects.
>
>     This is expected, since user's token is scoped to project, and no
>     access to domain-wide resources should be allowed.
>
>     How to work-around this?  Is it possible to use policy checks on
>     Keystone side while working with Horizon?
>
>     I am using stable/icehouse and Keystone API v3.
>
>     Thanks,
>     Roman
>
>     _______________________________________________
>     OpenStack-dev mailing list
>     OpenStack-dev at lists.openstack.org
>     <mailto:OpenStack-dev at lists.openstack.org>
>     http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> -- 
> Tang Yaguang
>
> Canonical Ltd. | www.ubuntu.com <http://www.ubuntu.com/> | 
> www.canonical.com <http://www.canonical.com/>
> Mobile:  +86 152 1094 6968
> gpg key: 0x187F664F
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140506/239555dd/attachment.html>


More information about the OpenStack-dev mailing list