Hi Lin, This two PS is what I wanted. Thx a lot.
btw, is it possible that these PS finished in Kilo? On Thu, Mar 12, 2015 at 5:41 PM, Lin Hua Cheng <os.lch...@gmail.com> wrote: > Hi, > > The 'cloud_admin' policy file requires domain-scoped to work to work. > > Horizon does not currently support domain scope token yet. So yes, it is a > gap in horizon at the moment. > > There are on-going patches to address this in horizon: > - https://review.openstack.org/#/c/141153/ > - https://review.openstack.org/#/c/148082/ > > Dan (esp) prepared a nicely written document on this should eventually > work. > > -Lin > > On Wed, Mar 11, 2015 at 7:33 PM, Lei Zhang <zhang.lei....@gmail.com> > wrote: > >> is there anyone tryed this and successfully? >> >> On Mon, Mar 9, 2015 at 4:25 PM, Lei Zhang <zhang.lei....@gmail.com> >> wrote: >> >>> Hi guys, >>> >>> I am setting up the keytone v3 api. Now I meet a issue about the >>> `cloud_admin` policy. >>> >>> Base on the >>> http://www.florentflament.com/blog/setting-keystone-v3-domains.html >>> article, I modify the cloud_admin policy to >>> >>> ``` >>> "cloud_admin": "rule:admin_required and >>> domain_id:ef0d30167f744401a0cbfcc938ea7d63", >>> ``` >>> >>> But the cloud_admin don't work as expected. I failed to open all the >>> identity panel ( like http://<host>/horizon/identity/domains/) >>> Horizon tell me" Error: Unable to retrieve project list." >>> And keystone log warning: >>> >>> ``` >>> 2015-03-09 16:00:06.423 9415 DEBUG keystone.policy.backends.rules [-] >>> enforce identity:list_user_projects: {'is_delegated_auth': False, >>> 'access_token_id': None, 'user_id': u'6433222efd78459bb70ad9adbcfac418', >>> 'roles': [u'_member_', u'admin'], 'trustee_id': None, 'trustor_id': None, >>> 'consumer_id': None, 'token': <KeystoneToken >>> (audit_id=DWsSa6yYSWi0ht9E7q4uhw, audit_chain_id=w_zLBBeFQ82KevtJrdKIJw) at >>> 0x7f4503fab3c8>, 'project_id': u'4d170baaa89b4e46b239249eb5ec6b00', >>> 'trust_id': None}, enforce >>> /usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:100 >>> 2015-03-09 16:00:06.061 9410 WARNING keystone.common.wsgi [-] You are >>> not authorized to perform the requested action: identity:list_projects >>> (Disable debug mode to suppress these details.) >>> ``` >>> >>> I make some debug and found that, the root cause is that the `context` >>> variable in keystone has no `domain_id` field( like the above keystone >>> log). So the `cloud_admin` rule failed. if i change the `cloud_admin` to >>> following. It works as expected. >>> >>> ``` >>> "cloud_admin": "rule:admin_required and user_id: >>> 6433222efd78459bb70ad9adbcfac418", >>> ``` >>> >>> I found that in the keystone code[0], the domain_id only exist when it >>> is a domain scope. But i believe that the horizon login token is a project >>> one( I am not very sure this) >>> >>> ``` >>> if token.project_scoped: >>> auth_context['project_id'] = token.project_id >>> elif token.domain_scoped: >>> auth_context['domain_id'] = token.domain_id >>> else: >>> LOG.debug('RBAC: Proceeding without project or domain scope') >>> >>> ``` >>> >>> Is it a bug? or some wrong configuration? >>> >>> >>> Following is my configuration. >>> >>> >>> ``` >>> # /etc/keystone/keystone.conf >>> [DEFAULT] >>> debug=true >>> verbose=true >>> log_dir=/var/log/keystone >>> [assignment] >>> driver = keystone.assignment.backends.sql.Assignment >>> [database] >>> connection=mysql://xxxx:xxxx@controller/keystone >>> [identity] >>> driver=keystone.identity.backends.sql.Identity >>> [memcache] >>> servers=controller1:11211,controller2:11211,controller3:1121 >>> [token] >>> provider=keystone.token.providers.uuid.Provider >>> ``` >>> >>> ``` >>> # /etc/openstack-dashboard/local_settings.py ( partly ) >>> POLICY_FILES_PATH = "/etc/openstack-dashboard/" >>> POLICY_FILES = { >>> 'identity': 'keystone_policy.json', >>> } >>> OPENSTACK_HOST = "127.0.0.1" >>> OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST >>> OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" >>> OPENSTACK_API_VERSIONS = { >>> "data_processing": 1.1, >>> "identity": 3, >>> "volume": 2 >>> } >>> OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True >>> OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'admin' >>> ``` >>> >>> [0] >>> https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58 >>> >>> >>> -- >>> Lei Zhang >>> Blog: http://xcodest.me >>> twitter/weibo: @jeffrey4l >>> >> >> >> >> -- >> Lei Zhang >> Blog: http://xcodest.me >> twitter/weibo: @jeffrey4l >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Lei Zhang Blog: http://xcodest.me twitter/weibo: @jeffrey4l
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev