[openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Roman Bodnarchuk
roman.bodnarchuk at indigitus.ch
Tue May 6 08:23:58 UTC 2014
Hello,
Does this mean that there is no real support for non-default domains in
Horizon?
Thanks,
Roman
On 5/5/2014 2:30 PM, Yaguang Tang wrote:
> I think this is an common requirement for users who want to keystone
> v3. I filed a blueprint for it
> https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.
>
>
> 2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk
> <roman.bodnarchuk at indigitus.ch <mailto:roman.bodnarchuk at indigitus.ch>>:
>
> Hello,
>
> As far as I can tell, Horizon uses python-openstack-auth to
> authenticate users. In the same time,
> openstack_auth.KeystoneBackend.authenticate method generates only
> project scoped tokens.
>
> After enabling policy checks in Keystone, I tried to view a list
> of all projects on Admin panel and got "*Error:*Unauthorized:
> Unable to retrieve project list." on dashboard and the next in
> Keystone log:
>
> enforce identity:list_projects: {'project_id':
> u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
> u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
> ...
> WARNING keystone.common.wsgi [-] You are not authorized to perform
> the requested action, identity:list_projects.
>
> This is expected, since user's token is scoped to project, and no
> access to domain-wide resources should be allowed.
>
> How to work-around this? Is it possible to use policy checks on
> Keystone side while working with Horizon?
>
> I am using stable/icehouse and Keystone API v3.
>
> Thanks,
> Roman
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> --
> Tang Yaguang
>
> Canonical Ltd. | www.ubuntu.com <http://www.ubuntu.com/> |
> www.canonical.com <http://www.canonical.com/>
> Mobile: +86 152 1094 6968
> gpg key: 0x187F664F
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140506/239555dd/attachment.html>
More information about the OpenStack-dev
mailing list