I think this is an common requirement for users who want to keystone v3. I
filed a blueprint for it
https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.
2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk <roman.bodnarc...@indigitus.ch>:
> Hello,
>
> As far as I can tell, Horizon uses python-openstack-auth to authenticate
> users. In the same time, openstack_auth.KeystoneBackend.authenticate
> method generates only project scoped tokens.
>
> After enabling policy checks in Keystone, I tried to view a list of all
> projects on Admin panel and got "*Error: *Unauthorized: Unable to
> retrieve project list." on dashboard and the next in Keystone log:
>
> enforce identity:list_projects: {'project_id':
> u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
> u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
> ...
> WARNING keystone.common.wsgi [-] You are not authorized to perform the
> requested action, identity:list_projects.
>
> This is expected, since user's token is scoped to project, and no access
> to domain-wide resources should be allowed.
>
> How to work-around this? Is it possible to use policy checks on Keystone
> side while working with Horizon?
>
> I am using stable/icehouse and Keystone API v3.
>
> Thanks,
> Roman
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Tang Yaguang
Canonical Ltd. | www.ubuntu.com | www.canonical.com
Mobile: +86 152 1094 6968
gpg key: 0x187F664F
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
