[Openstack] Openstack Mitaka Domain question
Eugen Block
eblock at nde.ag
Wed Jun 22 06:59:35 UTC 2016
> When you said "I use the same file for both horizon and keystone", I'm
> wondering if that means your Keystone policy file in Horizon is called
> policy.json. By default, it will need to be called keystone_policy.json.
Sorry for my misleading answer, the files have different names, but
the content is the same.
control1:~ # ll
/srv/www/openstack-dashboard/openstack_dashboard/conf/keystone_policy.json
-rw-r--r-- 1 root root 6430 17. Jun 00:27
/srv/www/openstack-dashboard/openstack_dashboard/conf/keystone_policy.json
control1:~ # ll /etc/keystone/policy.json
-rw-r--r-- 1 root root 13885 13. Jun 09:59 /etc/keystone/policy.json
> And if you installed everything with devstack
I did not install it with devstack, I followed this guide:
http://docs.openstack.org/mitaka/install-guide-obs/
The local_settings.py is attached to this email.
Zitat von Brad Pokorny <Brad_Pokorny at symantec.com>:
> When you said "I use the same file for both horizon and keystone", I'm
> wondering if that means your Keystone policy file in Horizon is called
> policy.json. By default, it will need to be called keystone_policy.json.
> And if you installed everything with devstack, it will need to be in
> /opt/stack/horizon/openstack_dashboard/conf. Is that the case?
>
> Also, could you attach your local_settings.py file from Horizon?
>
> Thanks,
> Brad
>
> On 6/21/16, 12:01 AM, "Eugen Block" <eblock at nde.ag> wrote:
>
>>> Could you attach copies of your Keystone policy.json file and your
>>> Horizon
>>> keystone_policy.json file?
>>
>> I use the same file for both horizon and keystone, it's attached to
>> this email. Please note that I changed the cloud_admin rule to use the
>> user_id of my admin user because domain_id didn't work.
>>
>>> What method did you use to find out the ID of the domain named Default?
>>
>> control1:/etc/keystone # openstack domain list
>> +----------------------------------+---------+---------+----------------+
>> | ID | Name | Enabled | Description |
>> +----------------------------------+---------+---------+----------------+
>> | 696819fc8d8d40129ca3a7b54145ba9e | heat | True | Stack projects |
>> | d17c72d57ef344da922500b4f69de4b2 | users | True | |
>> | default | Default | True | |
>> +----------------------------------+---------+---------+----------------+
>>
>>> What method did you use to check whether the cloud_admin user has the
>>> admin role on the Default domain?
>>
>> I followed your link in your previous answer
>> http://www.symantec.com/connect/blogs/domain-support-horizon-here.
>> Here's the CLI output to show the role assignment:
>>
>> control1:/etc/keystone # openstack role list | grep admin
>> | 465e2e9e201948668289ceb013277a50 | admin |
>>
>> control1:/etc/keystone # openstack user list | grep admin
>> | 89c5dcc8793d4867bae22d50e51e16b3 | admin |
>>
>> control1:/etc/keystone # openstack role assignment list | grep default
>> +----------------------------------+----------------------------------+---
>> ---+---------+---------+-----------+
>> | Role | User
>> | Group| Project | Domain | Inherited |
>> +----------------------------------+----------------------------------+---
>> ---+---------+---------+-----------+
>> | 465e2e9e201948668289ceb013277a50 | 89c5dcc8793d4867bae22d50e51e16b3
>> | | | default | False |
>> +----------------------------------+----------------------------------+---
>> ---+---------+---------+-----------+
>>
>> Regards,
>> Eugen
>>
>> Zitat von Brad Pokorny <Brad_Pokorny at symantec.com>:
>>
>>> Could you attach copies of your Keystone policy.json file and your
>>> Horizon
>>> keystone_policy.json file?
>>>
>>> What method did you use to find out the ID of the domain named Default?
>>>
>>> What method did you use to check whether the cloud_admin user has the
>>> admin role on the Default domain?
>>>
>>> Thanks,
>>> Brad
>>>
>>> On 6/20/16, 8:05 AM, "Eugen Block" <eblock at nde.ag> wrote:
>>>
>>>> Referring to the invisible domain field in the sidebar-accordion, I
>>>> tried to investigate Horizon with Firebug. If I get it right, the
>>>> identity panel is constructed in
>>>>
>>>> /usr/lib/python2.7/site-packages/horizon/templates/horizon/_sidebar.html
>>>> .
>>>> But
>>>> only four panels are built, projects, users, groups and roles. How can
>>>> I find out why the domain panel is not built here?
>>>>
>>>> I'm logged in as the cloud_admin, in the apache logs I don't see
>>>> permission errors or anything, so that shouldn't be an issue.
>>>>
>>>> Here's some information on the dashboard version I'm using:
>>>>
>>>> control1:/etc/keystone # rpm -qi
>>>> openstack-dashboard-9.0.2~a0~dev6-1.1.noarch
>>>> Name : openstack-dashboard
>>>> Version : 9.0.2~a0~dev6
>>>> Release : 1.1
>>>> Architecture: noarch
>>>> Install Date: Fr 17 Jun 2016 16:08:08 CEST
>>>> Group : Development/Languages/Python
>>>> Size : 50738471
>>>> License : Apache-2.0
>>>> Signature : RSA/SHA256, Fr 17 Jun 2016 05:08:31 CEST, Key ID
>>>> 893a90dad85f9316
>>>> Source RPM : openstack-dashboard-9.0.2~a0~dev6-1.1.src.rpm
>>>> Build Date : Fr 17 Jun 2016 05:07:19 CEST
>>>> Build Host : build33
>>>> Relocations : (not relocatable)
>>>> Vendor : obs://build.opensuse.org/Cloud:OpenStack
>>>> URL : http://wiki.openstack.org/OpenStackDashboard
>>>> Summary : OpenStack Dashboard (Horizon)
>>>>
>>>>
>>>> Any idea what goes wrong here?
>>>>
>>>> Regards,
>>>> Eugen
>>>>
>>>>
>>>> Zitat von Brad Pokorny <Brad_Pokorny at symantec.com>:
>>>>
>>>>> I added a "Common Issues" section to this blog post with some things
>>>>> I've
>>>>> seen that have tripped people up:
>>>>> http://www.symantec.com/connect/blogs/domain-support-horizon-here
>>>>>
>>>>> Resolving those things should at least get the Domains dashboard to
>>>>> show
>>>>> up in Horizon. If everything is properly set up, it will show up under
>>>>> the
>>>>> Identity left nav.
>>>>>
>>>>> That may also resolve your second issue with CLI commands. If not, it
>>>>> could be that you're getting a project scoped token when you should be
>>>>> getting a domain scoped token. Info on token scopes:
>>>>> http://docs.openstack.org/admin-guide/keystone_tokens.html
>>>>>
>>>>> Thanks,
>>>>> Brad
>>>>>
>>>>>
>>>>> On 6/9/16, 2:48 AM, "Eugen Block" <eblock at nde.ag> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I've managed to enable multi-domain support for my Mitaka
>>>>>> environment,
>>>>>> but there are still some things to configure properly. I have two
>>>>>> questions regarding domains.
>>>>>>
>>>>>>> Log in as admin under the default domain, go to the Domains
>>>>>>> dashboard
>>>>>>
>>>>>> 1. How can I enable the domain view in Horizon? I can't see that tab
>>>>>> in the dashboard, I'm not sure where to look anymore.
>>>>>>
>>>>>> 2. Has anyone a working separation of cloud_admin and domain_admin? I
>>>>>> used the v3-policy file mentioned in the last response, changed the
>>>>>> admin_domain_id to default as suggested, updated the keystone
>>>>>> endpoints to v3, but now I can't execute some actions like list
>>>>>> projects, list users etc. The logs say
>>>>>>
>>>>>> You are not authorized to perform the requested action:
>>>>>> identity:list_domains
>>>>>>
>>>>>> So I take a look into the policy.json:
>>>>>>
>>>>>> "cloud_admin": "rule:admin_required and domain_id:default",
>>>>>> "identity:list_domains": "rule:cloud_admin"
>>>>>>
>>>>>> As far as I understand, I assigend the domain "default" to
>>>>>> cloud_admin, so I assume that I should be able to list domains,
>>>>>> projects etc.
>>>>>> Until now I simply used the default config files for identity, can
>>>>>> anyone advise how to configure that file properly?
>>>>>>
>>>>>> Regards,
>>>>>> Eugen
>>>>>>
>>>>>>
>>>>>> Zitat von Brad Pokorny <Brad_Pokorny at symantec.com>:
>>>>>>
>>>>>>> 1. Yes, you can create new users in the "labA" domain via Horizon.
>>>>>>> Log in as admin under the default domain, go to the Domains
>>>>>>> dashboard, and click the "Set Domain Context" button for the "labA"
>>>>>>> domain. Then when you go back to the create user workflow, the
>>>>>>> "labA" domain will be automatically filled in for the user.
>>>>>>> 2. Go to the Domains tab, click the "Set Domain Context" button for
>>>>>>> the other domain, and go back to the Users dashboard.
>>>>>>>
>>>>>>> If you later need to think about using a domain admin via Horizon,
>>>>>>> take a look at this blog post:
>>>>>>> http://www.symantec.com/connect/blogs/domain-support-horizon-here
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Brad
>>>>>>>
>>>>>>> From: zhihao wang
>>>>>>> <wangzhihaocom at hotmail.com<mailto:wangzhihaocom at hotmail.com>>
>>>>>>> Date: Tuesday, May 31, 2016 at 8:40 AM
>>>>>>> To:
>>>>>>>
>>>>>>> "openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>"
>>>>>>>
>>>>>>> <openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>>
>>>>>>> Subject: [Openstack] Openstack Mitaka Domain question
>>>>>>>
>>>>>>> Hi All
>>>>>>>
>>>>>>> I setup the openstack Mitaka, and beside the "default" domain, I
>>>>>>> create another domain called "labA".
>>>>>>>
>>>>>>> I login using labA domain.
>>>>>>>
>>>>>>> My question are
>>>>>>> 1. Can I create different users and assign to different domain from
>>>>>>> Horizon dashboard GUI? or do i have to do it from a command line?
>>>>>>> 2. If I login as admin user under default domain, How can I see all
>>>>>>> the users with all different domain in horizon dashboard GUI?
>>>>>>> .
>>>>>>>
>>>>>>> Thanks a lot
>>>>>>> wally
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Eugen Block voice : +49-40-559 51 75
>>>>>> NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
>>>>>> Postfach 61 03 15
>>>>>> D-22423 Hamburg e-mail : eblock at nde.ag
>>>>>>
>>>>>> Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>>>>>> Sitz und Registergericht: Hamburg, HRB 90934
>>>>>> Vorstand: Jens-U. Mozdzen
>>>>>> USt-IdNr. DE 814 013 983
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Mailing list:
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>>> Post to : openstack at lists.openstack.org
>>>>>> Unsubscribe :
>>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>>
>>>>
>>>>
>>>> --
>>>> Eugen Block voice : +49-40-559 51 75
>>>> NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
>>>> Postfach 61 03 15
>>>> D-22423 Hamburg e-mail : eblock at nde.ag
>>>>
>>>> Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>>>> Sitz und Registergericht: Hamburg, HRB 90934
>>>> Vorstand: Jens-U. Mozdzen
>>>> USt-IdNr. DE 814 013 983
>>>>
>>
>>
>>
>> --
>> Eugen Block voice : +49-40-559 51 75
>> NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
>> Postfach 61 03 15
>> D-22423 Hamburg e-mail : eblock at nde.ag
>>
>> Vorsitzende des Aufsichtsrates: Angelika Mozdzen
>> Sitz und Registergericht: Hamburg, HRB 90934
>> Vorstand: Jens-U. Mozdzen
>> USt-IdNr. DE 814 013 983
--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock at nde.ag
Vorsitzende des Aufsichtsrates: Angelika Mozdzen
Sitz und Registergericht: Hamburg, HRB 90934
Vorstand: Jens-U. Mozdzen
USt-IdNr. DE 814 013 983
-------------- next part --------------
A non-text attachment was scrubbed...
Name: local_settings.py
Type: text/x-python
Size: 26820 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160622/8299718d/attachment.py>
More information about the Openstack
mailing list