Re: [openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Roman,
It's not fully supported, right now domain, project ,user management isn't
supported within admin user or domain user, but you can login in with
domain user
and operate as a normal user.
2014-05-06 16:23 GMT+08:00 Roman Bodnarchuk roman.bodnarc...@indigitus.ch:
Hello,
Does this mean that there is no real support for non-default domains in
Horizon?
Thanks,
Roman
On 5/5/2014 2:30 PM, Yaguang Tang wrote:
I think this is an common requirement for users who want to keystone v3. I
filed a blueprint for it
https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.
2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk roman.bodnarc...@indigitus.ch
:
Hello,
As far as I can tell, Horizon uses python-openstack-auth to authenticate
users. In the same time, openstack_auth.KeystoneBackend.authenticate
method generates only project scoped tokens.
After enabling policy checks in Keystone, I tried to view a list of all
projects on Admin panel and got *Error: *Unauthorized: Unable to
retrieve project list. on dashboard and the next in Keystone log:
enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
...
WARNING keystone.common.wsgi [-] You are not authorized to perform the
requested action, identity:list_projects.
This is expected, since user's token is scoped to project, and no access
to domain-wide resources should be allowed.
How to work-around this? Is it possible to use policy checks on Keystone
side while working with Horizon?
I am using stable/icehouse and Keystone API v3.
Thanks,
Roman
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Tang Yaguang
Canonical Ltd. | www.ubuntu.com | www.canonical.com
Mobile: +86 152 1094 6968
gpg key: 0x187F664F
___
OpenStack-dev mailing
listOpenStack-dev@lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Tang Yaguang
Canonical Ltd. | www.ubuntu.com | www.canonical.com
Mobile: +86 152 1094 6968
gpg key: 0x187F664F
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Hello,
Does this mean that there is no real support for non-default domains in
Horizon?
Thanks,
Roman
On 5/5/2014 2:30 PM, Yaguang Tang wrote:
I think this is an common requirement for users who want to keystone
v3. I filed a blueprint for it
https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.
2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk
roman.bodnarc...@indigitus.ch mailto:roman.bodnarc...@indigitus.ch:
Hello,
As far as I can tell, Horizon uses python-openstack-auth to
authenticate users. In the same time,
openstack_auth.KeystoneBackend.authenticate method generates only
project scoped tokens.
After enabling policy checks in Keystone, I tried to view a list
of all projects on Admin panel and got *Error:*Unauthorized:
Unable to retrieve project list. on dashboard and the next in
Keystone log:
enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
...
WARNING keystone.common.wsgi [-] You are not authorized to perform
the requested action, identity:list_projects.
This is expected, since user's token is scoped to project, and no
access to domain-wide resources should be allowed.
How to work-around this? Is it possible to use policy checks on
Keystone side while working with Horizon?
I am using stable/icehouse and Keystone API v3.
Thanks,
Roman
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
mailto:OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Tang Yaguang
Canonical Ltd. | www.ubuntu.com http://www.ubuntu.com/ |
www.canonical.com http://www.canonical.com/
Mobile: +86 152 1094 6968
gpg key: 0x187F664F
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Project list with turned-on policy in Keystone
I think this is an common requirement for users who want to keystone v3. I
filed a blueprint for it
https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.
2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk roman.bodnarc...@indigitus.ch:
Hello,
As far as I can tell, Horizon uses python-openstack-auth to authenticate
users. In the same time, openstack_auth.KeystoneBackend.authenticate
method generates only project scoped tokens.
After enabling policy checks in Keystone, I tried to view a list of all
projects on Admin panel and got *Error: *Unauthorized: Unable to
retrieve project list. on dashboard and the next in Keystone log:
enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
...
WARNING keystone.common.wsgi [-] You are not authorized to perform the
requested action, identity:list_projects.
This is expected, since user's token is scoped to project, and no access
to domain-wide resources should be allowed.
How to work-around this? Is it possible to use policy checks on Keystone
side while working with Horizon?
I am using stable/icehouse and Keystone API v3.
Thanks,
Roman
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Tang Yaguang
Canonical Ltd. | www.ubuntu.com | www.canonical.com
Mobile: +86 152 1094 6968
gpg key: 0x187F664F
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Hello,
As far as I can tell, Horizon uses python-openstack-auth to authenticate
users. In the same time, openstack_auth.KeystoneBackend.authenticate
method generates only project scoped tokens.
After enabling policy checks in Keystone, I tried to view a list of all
projects on Admin panel and got *Error:*Unauthorized: Unable to
retrieve project list. on dashboard and the next in Keystone log:
enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
...
WARNING keystone.common.wsgi [-] You are not authorized to perform the
requested action, identity:list_projects.
This is expected, since user's token is scoped to project, and no access
to domain-wide resources should be allowed.
How to work-around this? Is it possible to use policy checks on
Keystone side while working with Horizon?
I am using stable/icehouse and Keystone API v3.
Thanks,
Roman
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
