Open Stack

I'm sure additional feedback on those patches would be welcome and helpful toward getting them merged in Kilo

> On Mar 12, 2015, at 9:14 AM, Lei Zhang <zhang.lei.fly at gmail.com> wrote:
> 
> Hi Lin,
> 
> This two PS is what I wanted. Thx a lot.
> 
> btw, is it possible that these PS finished in Kilo?
> 
>> On Thu, Mar 12, 2015 at 5:41 PM, Lin Hua Cheng <os.lcheng at gmail.com> wrote:
>> Hi,
>> 
>> The 'cloud_admin' policy file requires domain-scoped to work to work.
>> 
>> Horizon does not currently support domain scope token yet. So yes, it is a gap in horizon at the moment.
>> 
>> There are on-going patches to address this in horizon: 
>> - https://review.openstack.org/#/c/141153/
>> - https://review.openstack.org/#/c/148082/
>> 
>> Dan (esp) prepared a nicely written document on this should eventually work.
>> 
>> -Lin
>> 
>>> On Wed, Mar 11, 2015 at 7:33 PM, Lei Zhang <zhang.lei.fly at gmail.com> wrote:
>>> is there anyone tryed this and successfully?
>>> 
>>>> On Mon, Mar 9, 2015 at 4:25 PM, Lei Zhang <zhang.lei.fly at gmail.com> wrote:
>>>> Hi guys,
>>>> 
>>>> I am setting up the keytone v3 api. Now I meet a issue about the `cloud_admin` policy.
>>>> 
>>>> Base on the http://www.florentflament.com/blog/setting-keystone-v3-domains.html article, I modify the cloud_admin policy to 
>>>> 
>>>> ```
>>>> "cloud_admin": "rule:admin_required and domain_id:ef0d30167f744401a0cbfcc938ea7d63",
>>>> ```
>>>> 
>>>> But the cloud_admin don't work as expected. I failed to open all the identity panel ( like http://<host>/horizon/identity/domains/)
>>>> Horizon tell me" Error: Unable to retrieve project list."
>>>> And keystone log warning:  
>>>> 
>>>> ```
>>>> 2015-03-09 16:00:06.423 9415 DEBUG keystone.policy.backends.rules [-] enforce identity:list_user_projects: {'is_delegated_auth': False, 'access_token_id': None, 'user_id': u'6433222efd78459bb70ad9adbcfac418', 'roles': [u'_member_', u'admin'], 'trustee_id': None, 'trustor_id': None, 'consumer_id': None, 'token': <KeystoneToken (audit_id=DWsSa6yYSWi0ht9E7q4uhw, audit_chain_id=w_zLBBeFQ82KevtJrdKIJw) at 0x7f4503fab3c8>, 'project_id': u'4d170baaa89b4e46b239249eb5ec6b00', 'trust_id': None}, enforce /usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:100
>>>> 2015-03-09 16:00:06.061 9410 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:list_projects (Disable debug mode to suppress these details.) 
>>>> ```
>>>> 
>>>> ​I make some debug and found that, the root cause is that the `context` variable in keystone has no `domain_id` field( like the above keystone log). So the `cloud_admin` rule failed.​ if i change the `cloud_admin` to following. It works as expected. 
>>>> 
>>>> ```
>>>> "cloud_admin": "rule:admin_required and user_id:6433222efd78459bb70ad9adbcfac418",
>>>> ```
>>>> 
>>>> I found that in the keystone code[0], the domain_id only exist when it is a domain scope. But i believe that the horizon login token is a project one( I am not very sure this)
>>>> 
>>>> ```
>>>>     if token.project_scoped:
>>>>         auth_context['project_id'] = token.project_id
>>>>     elif token.domain_scoped:
>>>>         auth_context['domain_id'] = token.domain_id
>>>>     else:
>>>>         LOG.debug('RBAC: Proceeding without project or domain scope')
>>>> 
>>>> ```
>>>> 
>>>> Is it a bug? or some wrong configuration? 
>>>> 
>>>> 
>>>> Following is my configuration.
>>>> 
>>>> 
>>>> ```
>>>> # /etc/keystone/keystone.conf
>>>> [DEFAULT]
>>>> debug=true
>>>> verbose=true
>>>> log_dir=/var/log/keystone
>>>> [assignment]
>>>> driver = keystone.assignment.backends.sql.Assignment 
>>>> [database]
>>>> connection=mysql://xxxx:xxxx@controller/keystone
>>>> [identity]
>>>> driver=keystone.identity.backends.sql.Identity
>>>> [memcache]
>>>> servers=controller1:11211,controller2:11211,controller3:1121
>>>> [token]
>>>> provider=keystone.token.providers.uuid.Provider
>>>> ```
>>>> 
>>>> ```
>>>> # /etc/openstack-dashboard/local_settings.py ( partly )
>>>> POLICY_FILES_PATH = "/etc/openstack-dashboard/"
>>>> POLICY_FILES = {
>>>>     'identity': 'keystone_policy.json',
>>>> }
>>>> OPENSTACK_HOST = "127.0.0.1"
>>>> OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
>>>> OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
>>>> OPENSTACK_API_VERSIONS = {
>>>>      "data_processing": 1.1,
>>>>      "identity": 3,
>>>>      "volume": 2
>>>> }
>>>> OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
>>>> OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'admin'
>>>> ``` 
>>>> 
>>>> ​[0] https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58​
>>>> 
>>>> -- 
>>>> Lei Zhang
>>>> Blog: http://xcodest.me
>>>> twitter/weibo: @jeffrey4l
>>> 
>>> 
>>> 
>>> -- 
>>> Lei Zhang
>>> Blog: http://xcodest.me
>>> twitter/weibo: @jeffrey4l
>>> 
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> 
>> 
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> -- 
> Lei Zhang
> Blog: http://xcodest.me
> twitter/weibo: @jeffrey4l
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150312/d32ea1aa/attachment.html>