When you said "I use the same file for both horizon and keystone", I'm wondering if that means your Keystone policy file in Horizon is called policy.json. By default, it will need to be called keystone_policy.json. And if you installed everything with devstack, it will need to be in /opt/stack/horizon/openstack_dashboard/conf. Is that the case?
Also, could you attach your local_settings.py file from Horizon? Thanks, Brad On 6/21/16, 12:01 AM, "Eugen Block" <ebl...@nde.ag> wrote: >> Could you attach copies of your Keystone policy.json file and your >>Horizon >> keystone_policy.json file? > >I use the same file for both horizon and keystone, it's attached to >this email. Please note that I changed the cloud_admin rule to use the >user_id of my admin user because domain_id didn't work. > >> What method did you use to find out the ID of the domain named Default? > >control1:/etc/keystone # openstack domain list >+----------------------------------+---------+---------+----------------+ >| ID | Name | Enabled | Description | >+----------------------------------+---------+---------+----------------+ >| 696819fc8d8d40129ca3a7b54145ba9e | heat | True | Stack projects | >| d17c72d57ef344da922500b4f69de4b2 | users | True | | >| default | Default | True | | >+----------------------------------+---------+---------+----------------+ > >> What method did you use to check whether the cloud_admin user has the >> admin role on the Default domain? > >I followed your link in your previous answer >http://www.symantec.com/connect/blogs/domain-support-horizon-here. >Here's the CLI output to show the role assignment: > >control1:/etc/keystone # openstack role list | grep admin >| 465e2e9e201948668289ceb013277a50 | admin | > >control1:/etc/keystone # openstack user list | grep admin >| 89c5dcc8793d4867bae22d50e51e16b3 | admin | > >control1:/etc/keystone # openstack role assignment list | grep default >+----------------------------------+----------------------------------+--- >---+---------+---------+-----------+ >| Role | User >| Group| Project | Domain | Inherited | >+----------------------------------+----------------------------------+--- >---+---------+---------+-----------+ >| 465e2e9e201948668289ceb013277a50 | 89c5dcc8793d4867bae22d50e51e16b3 >| | | default | False | >+----------------------------------+----------------------------------+--- >---+---------+---------+-----------+ > >Regards, >Eugen > >Zitat von Brad Pokorny <brad_poko...@symantec.com>: > >> Could you attach copies of your Keystone policy.json file and your >>Horizon >> keystone_policy.json file? >> >> What method did you use to find out the ID of the domain named Default? >> >> What method did you use to check whether the cloud_admin user has the >> admin role on the Default domain? >> >> Thanks, >> Brad >> >> On 6/20/16, 8:05 AM, "Eugen Block" <ebl...@nde.ag> wrote: >> >>> Referring to the invisible domain field in the sidebar-accordion, I >>> tried to investigate Horizon with Firebug. If I get it right, the >>> identity panel is constructed in >>> >>>/usr/lib/python2.7/site-packages/horizon/templates/horizon/_sidebar.html >>>. >>> But >>> only four panels are built, projects, users, groups and roles. How can >>> I find out why the domain panel is not built here? >>> >>> I'm logged in as the cloud_admin, in the apache logs I don't see >>> permission errors or anything, so that shouldn't be an issue. >>> >>> Here's some information on the dashboard version I'm using: >>> >>> control1:/etc/keystone # rpm -qi >>> openstack-dashboard-9.0.2~a0~dev6-1.1.noarch >>> Name : openstack-dashboard >>> Version : 9.0.2~a0~dev6 >>> Release : 1.1 >>> Architecture: noarch >>> Install Date: Fr 17 Jun 2016 16:08:08 CEST >>> Group : Development/Languages/Python >>> Size : 50738471 >>> License : Apache-2.0 >>> Signature : RSA/SHA256, Fr 17 Jun 2016 05:08:31 CEST, Key ID >>> 893a90dad85f9316 >>> Source RPM : openstack-dashboard-9.0.2~a0~dev6-1.1.src.rpm >>> Build Date : Fr 17 Jun 2016 05:07:19 CEST >>> Build Host : build33 >>> Relocations : (not relocatable) >>> Vendor : obs://build.opensuse.org/Cloud:OpenStack >>> URL : http://wiki.openstack.org/OpenStackDashboard >>> Summary : OpenStack Dashboard (Horizon) >>> >>> >>> Any idea what goes wrong here? >>> >>> Regards, >>> Eugen >>> >>> >>> Zitat von Brad Pokorny <brad_poko...@symantec.com>: >>> >>>> I added a "Common Issues" section to this blog post with some things >>>> I've >>>> seen that have tripped people up: >>>> http://www.symantec.com/connect/blogs/domain-support-horizon-here >>>> >>>> Resolving those things should at least get the Domains dashboard to >>>>show >>>> up in Horizon. If everything is properly set up, it will show up under >>>> the >>>> Identity left nav. >>>> >>>> That may also resolve your second issue with CLI commands. If not, it >>>> could be that you're getting a project scoped token when you should be >>>> getting a domain scoped token. Info on token scopes: >>>> http://docs.openstack.org/admin-guide/keystone_tokens.html >>>> >>>> Thanks, >>>> Brad >>>> >>>> >>>> On 6/9/16, 2:48 AM, "Eugen Block" <ebl...@nde.ag> wrote: >>>> >>>>> Hi, >>>>> >>>>> I've managed to enable multi-domain support for my Mitaka >>>>>environment, >>>>> but there are still some things to configure properly. I have two >>>>> questions regarding domains. >>>>> >>>>>> Log in as admin under the default domain, go to the Domains >>>>>>dashboard >>>>> >>>>> 1. How can I enable the domain view in Horizon? I can't see that tab >>>>> in the dashboard, I'm not sure where to look anymore. >>>>> >>>>> 2. Has anyone a working separation of cloud_admin and domain_admin? I >>>>> used the v3-policy file mentioned in the last response, changed the >>>>> admin_domain_id to default as suggested, updated the keystone >>>>> endpoints to v3, but now I can't execute some actions like list >>>>> projects, list users etc. The logs say >>>>> >>>>> You are not authorized to perform the requested action: >>>>> identity:list_domains >>>>> >>>>> So I take a look into the policy.json: >>>>> >>>>> "cloud_admin": "rule:admin_required and domain_id:default", >>>>> "identity:list_domains": "rule:cloud_admin" >>>>> >>>>> As far as I understand, I assigend the domain "default" to >>>>> cloud_admin, so I assume that I should be able to list domains, >>>>> projects etc. >>>>> Until now I simply used the default config files for identity, can >>>>> anyone advise how to configure that file properly? >>>>> >>>>> Regards, >>>>> Eugen >>>>> >>>>> >>>>> Zitat von Brad Pokorny <brad_poko...@symantec.com>: >>>>> >>>>>> 1. Yes, you can create new users in the "labA" domain via Horizon. >>>>>> Log in as admin under the default domain, go to the Domains >>>>>> dashboard, and click the "Set Domain Context" button for the "labA" >>>>>> domain. Then when you go back to the create user workflow, the >>>>>> "labA" domain will be automatically filled in for the user. >>>>>> 2. Go to the Domains tab, click the "Set Domain Context" button for >>>>>> the other domain, and go back to the Users dashboard. >>>>>> >>>>>> If you later need to think about using a domain admin via Horizon, >>>>>> take a look at this blog post: >>>>>> http://www.symantec.com/connect/blogs/domain-support-horizon-here >>>>>> >>>>>> Thanks, >>>>>> Brad >>>>>> >>>>>> From: zhihao wang >>>>>> <wangzhihao...@hotmail.com<mailto:wangzhihao...@hotmail.com>> >>>>>> Date: Tuesday, May 31, 2016 at 8:40 AM >>>>>> To: >>>>>> >>>>>>"openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>" >>>>>> >>>>>><openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>> >>>>>> Subject: [Openstack] Openstack Mitaka Domain question >>>>>> >>>>>> Hi All >>>>>> >>>>>> I setup the openstack Mitaka, and beside the "default" domain, I >>>>>> create another domain called "labA". >>>>>> >>>>>> I login using labA domain. >>>>>> >>>>>> My question are >>>>>> 1. Can I create different users and assign to different domain from >>>>>> Horizon dashboard GUI? or do i have to do it from a command line? >>>>>> 2. If I login as admin user under default domain, How can I see all >>>>>> the users with all different domain in horizon dashboard GUI? >>>>>> . >>>>>> >>>>>> Thanks a lot >>>>>> wally >>>>> >>>>> >>>>> -- >>>>> Eugen Block voice : +49-40-559 51 75 >>>>> NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77 >>>>> Postfach 61 03 15 >>>>> D-22423 Hamburg e-mail : ebl...@nde.ag >>>>> >>>>> Vorsitzende des Aufsichtsrates: Angelika Mozdzen >>>>> Sitz und Registergericht: Hamburg, HRB 90934 >>>>> Vorstand: Jens-U. Mozdzen >>>>> USt-IdNr. DE 814 013 983 >>>>> >>>>> >>>>> _______________________________________________ >>>>> Mailing list: >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>>>> Post to : openstack@lists.openstack.org >>>>> Unsubscribe : >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> >>> >>> >>> -- >>> Eugen Block voice : +49-40-559 51 75 >>> NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77 >>> Postfach 61 03 15 >>> D-22423 Hamburg e-mail : ebl...@nde.ag >>> >>> Vorsitzende des Aufsichtsrates: Angelika Mozdzen >>> Sitz und Registergericht: Hamburg, HRB 90934 >>> Vorstand: Jens-U. Mozdzen >>> USt-IdNr. DE 814 013 983 >>> > > > >-- >Eugen Block voice : +49-40-559 51 75 >NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77 >Postfach 61 03 15 >D-22423 Hamburg e-mail : ebl...@nde.ag > > Vorsitzende des Aufsichtsrates: Angelika Mozdzen > Sitz und Registergericht: Hamburg, HRB 90934 > Vorstand: Jens-U. Mozdzen > USt-IdNr. DE 814 013 983 _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
