Hello,
As far as I can tell, Horizon uses python-openstack-auth to authenticate
users. In the same time, openstack_auth.KeystoneBackend.authenticate
method generates only project scoped tokens.
After enabling policy checks in Keystone, I tried to view a list of all
projects on Admin panel and got "*Error:*Unauthorized: Unable to
retrieve project list." on dashboard and the next in Keystone log:
enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
...
WARNING keystone.common.wsgi [-] You are not authorized to perform the
requested action, identity:list_projects.
This is expected, since user's token is scoped to project, and no access
to domain-wide resources should be allowed.
How to work-around this? Is it possible to use policy checks on
Keystone side while working with Horizon?
I am using stable/icehouse and Keystone API v3.
Thanks,
Roman
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
