[Openstack] Openstack Mitaka Domain question

Eugen Block eblock at nde.ag
Tue Jun 21 07:01:17 UTC 2016 

> Could you attach copies of your Keystone policy.json file and your Horizon
> keystone_policy.json file?

I use the same file for both horizon and keystone, it's attached to  
this email. Please note that I changed the cloud_admin rule to use the  
user_id of my admin user because domain_id didn't work.

> What method did you use to find out the ID of the domain named Default?

control1:/etc/keystone # openstack domain list
+----------------------------------+---------+---------+----------------+
| ID                               | Name    | Enabled | Description    |
+----------------------------------+---------+---------+----------------+
| 696819fc8d8d40129ca3a7b54145ba9e | heat    | True    | Stack projects |
| d17c72d57ef344da922500b4f69de4b2 | users   | True    |                |
| default                          | Default | True    |                |
+----------------------------------+---------+---------+----------------+

> What method did you use to check whether the cloud_admin user has the
> admin role on the Default domain?

I followed your link in your previous answer  
http://www.symantec.com/connect/blogs/domain-support-horizon-here.
Here's the CLI output to show the role assignment:

control1:/etc/keystone # openstack role list | grep admin
| 465e2e9e201948668289ceb013277a50 | admin            |

control1:/etc/keystone # openstack user list | grep admin
| 89c5dcc8793d4867bae22d50e51e16b3 | admin      |

control1:/etc/keystone # openstack role assignment list | grep default
+----------------------------------+----------------------------------+------+---------+---------+-----------+
| Role                             | User                              
| Group| Project | Domain  | Inherited |
+----------------------------------+----------------------------------+------+---------+---------+-----------+
| 465e2e9e201948668289ceb013277a50 | 89c5dcc8793d4867bae22d50e51e16b3  
|      |         | default | False     |
+----------------------------------+----------------------------------+------+---------+---------+-----------+

Regards,
Eugen

Zitat von Brad Pokorny <Brad_Pokorny at symantec.com>:

> Could you attach copies of your Keystone policy.json file and your Horizon
> keystone_policy.json file?
>
> What method did you use to find out the ID of the domain named Default?
>
> What method did you use to check whether the cloud_admin user has the
> admin role on the Default domain?
>
> Thanks,
> Brad
>
> On 6/20/16, 8:05 AM, "Eugen Block" <eblock at nde.ag> wrote:
>
>> Referring to the invisible domain field in the sidebar-accordion, I
>> tried to investigate Horizon with Firebug. If I get it right, the
>> identity panel is constructed in
>> /usr/lib/python2.7/site-packages/horizon/templates/horizon/_sidebar.html.
>> But
>> only four panels are built, projects, users, groups and roles. How can
>> I find out why the domain panel is not built here?
>>
>> I'm logged in as the cloud_admin, in the apache logs I don't see
>> permission errors or anything, so that shouldn't be an issue.
>>
>> Here's some information on the dashboard version I'm using:
>>
>> control1:/etc/keystone # rpm -qi
>> openstack-dashboard-9.0.2~a0~dev6-1.1.noarch
>> Name        : openstack-dashboard
>> Version     : 9.0.2~a0~dev6
>> Release     : 1.1
>> Architecture: noarch
>> Install Date: Fr 17 Jun 2016 16:08:08 CEST
>> Group       : Development/Languages/Python
>> Size        : 50738471
>> License     : Apache-2.0
>> Signature   : RSA/SHA256, Fr 17 Jun 2016 05:08:31 CEST, Key ID
>> 893a90dad85f9316
>> Source RPM  : openstack-dashboard-9.0.2~a0~dev6-1.1.src.rpm
>> Build Date  : Fr 17 Jun 2016 05:07:19 CEST
>> Build Host  : build33
>> Relocations : (not relocatable)
>> Vendor      : obs://build.opensuse.org/Cloud:OpenStack
>> URL         : http://wiki.openstack.org/OpenStackDashboard
>> Summary     : OpenStack Dashboard (Horizon)
>>
>>
>> Any idea what goes wrong here?
>>
>> Regards,
>> Eugen
>>
>>
>> Zitat von Brad Pokorny <Brad_Pokorny at symantec.com>:
>>
>>> I added a "Common Issues" section to this blog post with some things
>>> I've
>>> seen that have tripped people up:
>>> http://www.symantec.com/connect/blogs/domain-support-horizon-here
>>>
>>> Resolving those things should at least get the Domains dashboard to show
>>> up in Horizon. If everything is properly set up, it will show up under
>>> the
>>> Identity left nav.
>>>
>>> That may also resolve your second issue with CLI commands. If not, it
>>> could be that you're getting a project scoped token when you should be
>>> getting a domain scoped token. Info on token scopes:
>>> http://docs.openstack.org/admin-guide/keystone_tokens.html
>>>
>>> Thanks,
>>> Brad
>>>
>>>
>>> On 6/9/16, 2:48 AM, "Eugen Block" <eblock at nde.ag> wrote:
>>>
>>>> Hi,
>>>>
>>>> I've managed to enable multi-domain support for my Mitaka environment,
>>>> but there are still some things to configure properly. I have two
>>>> questions regarding domains.
>>>>
>>>>> Log in as admin under the default domain, go to the Domains dashboard
>>>>
>>>> 1. How can I enable the domain view in Horizon? I can't see that tab
>>>> in the dashboard, I'm not sure where to look anymore.
>>>>
>>>> 2. Has anyone a working separation of cloud_admin and domain_admin? I
>>>> used the v3-policy file mentioned in the last response, changed the
>>>> admin_domain_id to default as suggested, updated the keystone
>>>> endpoints to v3, but now I can't execute some actions like list
>>>> projects, list users etc. The logs say
>>>>
>>>>      You are not authorized to perform the requested action:
>>>> identity:list_domains
>>>>
>>>> So I take a look into the policy.json:
>>>>
>>>>     "cloud_admin": "rule:admin_required and domain_id:default",
>>>>     "identity:list_domains": "rule:cloud_admin"
>>>>
>>>> As far as I understand, I assigend the domain "default" to
>>>> cloud_admin, so I assume that I should be able to list domains,
>>>> projects etc.
>>>> Until now I simply used the default config files for identity, can
>>>> anyone advise how to configure that file properly?
>>>>
>>>> Regards,
>>>> Eugen
>>>>
>>>>
>>>> Zitat von Brad Pokorny <Brad_Pokorny at symantec.com>:
>>>>
>>>>> 1. Yes, you can create new users in the "labA" domain via Horizon.
>>>>> Log in as admin under the default domain, go to the Domains
>>>>> dashboard, and click the "Set Domain Context" button for the "labA"
>>>>> domain. Then when you go back to the create user workflow, the
>>>>> "labA" domain will be automatically filled in for the user.
>>>>> 2. Go to the Domains tab, click the "Set Domain Context" button for
>>>>> the other domain, and go back to the Users dashboard.
>>>>>
>>>>> If you later need to think about using a domain admin via Horizon,
>>>>> take a look at this blog post:
>>>>> http://www.symantec.com/connect/blogs/domain-support-horizon-here
>>>>>
>>>>> Thanks,
>>>>> Brad
>>>>>
>>>>> From: zhihao wang
>>>>> <wangzhihaocom at hotmail.com<mailto:wangzhihaocom at hotmail.com>>
>>>>> Date: Tuesday, May 31, 2016 at 8:40 AM
>>>>> To:
>>>>> "openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>"
>>>>> <openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>>
>>>>> Subject: [Openstack] Openstack Mitaka Domain question
>>>>>
>>>>> Hi All
>>>>>
>>>>> I setup the openstack Mitaka, and beside the "default" domain, I
>>>>> create another domain called "labA".
>>>>>
>>>>> I login using labA domain.
>>>>>
>>>>> My question are
>>>>> 1. Can I create different users and assign to different domain from
>>>>> Horizon dashboard GUI? or do i have to do it from a command line?
>>>>> 2. If I login as admin user under default domain, How can I see all
>>>>> the users with all different domain in horizon dashboard GUI?
>>>>> .
>>>>>
>>>>> Thanks a lot
>>>>> wally
>>>>
>>>>
>>>> --
>>>> Eugen Block                             voice   : +49-40-559 51 75
>>>> NDE Netzdesign und -entwicklung AG      fax     : +49-40-559 51 77
>>>> Postfach 61 03 15
>>>> D-22423 Hamburg                         e-mail  : eblock at nde.ag
>>>>
>>>>         Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>>>>           Sitz und Registergericht: Hamburg, HRB 90934
>>>>                   Vorstand: Jens-U. Mozdzen
>>>>                    USt-IdNr. DE 814 013 983
>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list:
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>> Post to     : openstack at lists.openstack.org
>>>> Unsubscribe :
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>>
>> --
>> Eugen Block                             voice   : +49-40-559 51 75
>> NDE Netzdesign und -entwicklung AG      fax     : +49-40-559 51 77
>> Postfach 61 03 15
>> D-22423 Hamburg                         e-mail  : eblock at nde.ag
>>
>>         Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>>           Sitz und Registergericht: Hamburg, HRB 90934
>>                   Vorstand: Jens-U. Mozdzen
>>                    USt-IdNr. DE 814 013 983
>>



-- 
Eugen Block                             voice   : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG      fax     : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg                         e-mail  : eblock at nde.ag

         Vorsitzende des Aufsichtsrates: Angelika Mozdzen
           Sitz und Registergericht: Hamburg, HRB 90934
                   Vorstand: Jens-U. Mozdzen
                    USt-IdNr. DE 814 013 983
-------------- next part --------------
A non-text attachment was scrubbed...
Name: policy.json
Type: application/json
Size: 13885 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160621/3ec08cf0/attachment.json>

More information about the Openstack mailing list