is there anyone tryed this and successfully? On Mon, Mar 9, 2015 at 4:25 PM, Lei Zhang <zhang.lei....@gmail.com> wrote:
> Hi guys, > > I am setting up the keytone v3 api. Now I meet a issue about the > `cloud_admin` policy. > > Base on the > http://www.florentflament.com/blog/setting-keystone-v3-domains.html > article, I modify the cloud_admin policy to > > ``` > "cloud_admin": "rule:admin_required and > domain_id:ef0d30167f744401a0cbfcc938ea7d63", > ``` > > But the cloud_admin don't work as expected. I failed to open all the > identity panel ( like http://<host>/horizon/identity/domains/) > Horizon tell me" Error: Unable to retrieve project list." > And keystone log warning: > > ``` > 2015-03-09 16:00:06.423 9415 DEBUG keystone.policy.backends.rules [-] > enforce identity:list_user_projects: {'is_delegated_auth': False, > 'access_token_id': None, 'user_id': u'6433222efd78459bb70ad9adbcfac418', > 'roles': [u'_member_', u'admin'], 'trustee_id': None, 'trustor_id': None, > 'consumer_id': None, 'token': <KeystoneToken > (audit_id=DWsSa6yYSWi0ht9E7q4uhw, audit_chain_id=w_zLBBeFQ82KevtJrdKIJw) at > 0x7f4503fab3c8>, 'project_id': u'4d170baaa89b4e46b239249eb5ec6b00', > 'trust_id': None}, enforce > /usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:100 > 2015-03-09 16:00:06.061 9410 WARNING keystone.common.wsgi [-] You are not > authorized to perform the requested action: identity:list_projects (Disable > debug mode to suppress these details.) > ``` > > I make some debug and found that, the root cause is that the `context` > variable in keystone has no `domain_id` field( like the above keystone > log). So the `cloud_admin` rule failed. if i change the `cloud_admin` to > following. It works as expected. > > ``` > "cloud_admin": "rule:admin_required and user_id: > 6433222efd78459bb70ad9adbcfac418", > ``` > > I found that in the keystone code[0], the domain_id only exist when it is > a domain scope. But i believe that the horizon login token is a project > one( I am not very sure this) > > ``` > if token.project_scoped: > auth_context['project_id'] = token.project_id > elif token.domain_scoped: > auth_context['domain_id'] = token.domain_id > else: > LOG.debug('RBAC: Proceeding without project or domain scope') > > ``` > > Is it a bug? or some wrong configuration? > > > Following is my configuration. > > > ``` > # /etc/keystone/keystone.conf > [DEFAULT] > debug=true > verbose=true > log_dir=/var/log/keystone > [assignment] > driver = keystone.assignment.backends.sql.Assignment > [database] > connection=mysql://xxxx:xxxx@controller/keystone > [identity] > driver=keystone.identity.backends.sql.Identity > [memcache] > servers=controller1:11211,controller2:11211,controller3:1121 > [token] > provider=keystone.token.providers.uuid.Provider > ``` > > ``` > # /etc/openstack-dashboard/local_settings.py ( partly ) > POLICY_FILES_PATH = "/etc/openstack-dashboard/" > POLICY_FILES = { > 'identity': 'keystone_policy.json', > } > OPENSTACK_HOST = "127.0.0.1" > OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST > OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" > OPENSTACK_API_VERSIONS = { > "data_processing": 1.1, > "identity": 3, > "volume": 2 > } > OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True > OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'admin' > ``` > > [0] > https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58 > > > -- > Lei Zhang > Blog: http://xcodest.me > twitter/weibo: @jeffrey4l > -- Lei Zhang Blog: http://xcodest.me twitter/weibo: @jeffrey4l
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev