Re: [openstack-dev] [Horizon] Project list with turned-on policy in Keystone

Tue, 06 May 2014 01:28:20 -0700 

Hello,
Does this mean that there is no real support for non-default domains in Horizon? 

Thanks,
Roman

On 5/5/2014 2:30 PM, Yaguang Tang wrote:

I think this is an common requirement for users who want to keystone 
v3. I filed a blueprint for it 
https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.




2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk 
<roman.bodnarc...@indigitus.ch <mailto:roman.bodnarc...@indigitus.ch>>:


    Hello,

    As far as I can tell, Horizon uses python-openstack-auth to
    authenticate users.  In the same time,
    openstack_auth.KeystoneBackend.authenticate method generates only
    project scoped tokens.

    After enabling policy checks in Keystone, I tried to view a list
    of all projects on Admin panel and got "*Error:*Unauthorized:
    Unable to retrieve project list." on dashboard and the next in
    Keystone log:

    enforce identity:list_projects: {'project_id':
    u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
    u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
    ...
    WARNING keystone.common.wsgi [-] You are not authorized to perform
    the requested action, identity:list_projects.

    This is expected, since user's token is scoped to project, and no
    access to domain-wide resources should be allowed.

    How to work-around this?  Is it possible to use policy checks on
    Keystone side while working with Horizon?

    I am using stable/icehouse and Keystone API v3.

    Thanks,
    Roman

    _______________________________________________
    OpenStack-dev mailing list
    OpenStack-dev@lists.openstack.org
    <mailto:OpenStack-dev@lists.openstack.org>
    http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




--
Tang Yaguang


Canonical Ltd. | www.ubuntu.com <http://www.ubuntu.com/> | 
www.canonical.com <http://www.canonical.com/>

Mobile:  +86 152 1094 6968
gpg key: 0x187F664F


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to