[Openstack] [Horizon][Keystone] list_domains action logging into dashboard

Brad Pokorny Brad_Pokorny at symantec.com
Wed Sep 7 16:15:20 UTC 2016


Hi Sergey,

The policies in github are expected to be this way. For many environments, Domains are used to separate users (including domain admins) from doing bad things to each other. Restricting access to the list of all domains in the cloud is just one aspect of this separation, so that a domain admin can't get information about other domains in the cloud. If that's not a concern in your environment, you can certainly modify the policies for your own needs. Modifying the policies for specific situations is very common.

The Horizon code you reference shouldn't cause problems for a domain admin, as it's intended to check if the user has access to list domains before attempting the list_domains call to keystone. If everything is set up properly, the domain admin should see the Domains section in the Horizon left nav and see their single domain on the Domains page.

If you're seeing issues beyond that, please check out this blog post that walks through the setup to avoid common issues:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Thanks,
Brad

From: Сергей Филатов <filatecs at gmail.com<mailto:filatecs at gmail.com>>
Date: Wednesday, September 7, 2016 at 6:15 AM
To: "openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>" <openstack at lists.openstack.org<mailto:openstack at lists.openstack.org>>
Subject: [Openstack] [Horizon][Keystone] list_domains action logging into dashboard

Hi all,

I’ve set up keystone V3 policies and enabled Multidomain attribute in horizon.

When I’m logging into horizon as domain admin horizon executes domain_lookup function which
performs
policy.check((("identity", "identity:list_domains"),), request)

And by default keystone v3 policies enable list_domains only for cloud_admin user.
So I assume there’s a bug in either horizon or keystone V3 policies.
Or am I missing the point?


..Sergey Filatov



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160907/dd0f42fc/attachment.html>


More information about the Openstack mailing list