[openstack-dev] [Horizon] Project list with turned-on policy in Keystone

Yaguang Tang yaguang.tang at canonical.com
Mon May 12 21:21:41 UTC 2014


Roman,

It's not fully supported, right now domain, project ,user management isn't
supported within admin user or domain user,  but you can login in with
domain user
and operate as a normal user.


2014-05-06 16:23 GMT+08:00 Roman Bodnarchuk <roman.bodnarchuk at indigitus.ch>:

>  Hello,
>
> Does this mean that there is no real support for non-default domains in
> Horizon?
>
> Thanks,
> Roman
>
>
> On 5/5/2014 2:30 PM, Yaguang Tang wrote:
>
> I think this is an common requirement for users who want to keystone v3. I
> filed a blueprint for it
> https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.
>
>
> 2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk <roman.bodnarchuk at indigitus.ch
> >:
>
>>  Hello,
>>
>> As far as I can tell, Horizon uses python-openstack-auth to authenticate
>> users.  In the same time, openstack_auth.KeystoneBackend.authenticate
>> method generates only project scoped tokens.
>>
>> After enabling policy checks in Keystone, I tried to view a list of all
>> projects on Admin panel and got "*Error: *Unauthorized: Unable to
>> retrieve project list." on dashboard and the next in Keystone log:
>>
>> enforce identity:list_projects: {'project_id':
>> u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
>> u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
>> ...
>> WARNING keystone.common.wsgi [-] You are not authorized to perform the
>> requested action, identity:list_projects.
>>
>> This is expected, since user's token is scoped to project, and no access
>> to domain-wide resources should be allowed.
>>
>> How to work-around this?  Is it possible to use policy checks on Keystone
>> side while working with Horizon?
>>
>> I am using stable/icehouse and Keystone API v3.
>>
>> Thanks,
>> Roman
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
>  --
>  Tang Yaguang
>
>  Canonical Ltd. | www.ubuntu.com | www.canonical.com
> Mobile:  +86 152 1094 6968
> gpg key: 0x187F664F
>
>
>
> _______________________________________________
> OpenStack-dev mailing listOpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Tang Yaguang

Canonical Ltd. | www.ubuntu.com | www.canonical.com
Mobile:  +86 152 1094 6968
gpg key: 0x187F664F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140513/ca2421c1/attachment.html>


More information about the OpenStack-dev mailing list