Re: [openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Roman, It's not fully supported, right now domain, project ,user management isn't supported within admin user or domain user, but you can login in with domain user and operate as a normal user. 2014-05-06 16:23 GMT+08:00 Roman Bodnarchuk roman.bodnarc...@indigitus.ch: Hello, Does this mean that there is no real support for non-default domains in Horizon? Thanks, Roman On 5/5/2014 2:30 PM, Yaguang Tang wrote: I think this is an common requirement for users who want to keystone v3. I filed a blueprint for it https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac. 2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk roman.bodnarc...@indigitus.ch : Hello, As far as I can tell, Horizon uses python-openstack-auth to authenticate users. In the same time, openstack_auth.KeystoneBackend.authenticate method generates only project scoped tokens. After enabling policy checks in Keystone, I tried to view a list of all projects on Admin panel and got *Error: *Unauthorized: Unable to retrieve project list. on dashboard and the next in Keystone log: enforce identity:list_projects: {'project_id': u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id': u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']} ... WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, identity:list_projects. This is expected, since user's token is scoped to project, and no access to domain-wide resources should be allowed. How to work-around this? Is it possible to use policy checks on Keystone side while working with Horizon? I am using stable/icehouse and Keystone API v3. Thanks, Roman ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Tang Yaguang Canonical Ltd. | www.ubuntu.com | www.canonical.com Mobile: +86 152 1094 6968 gpg key: 0x187F664F ___ OpenStack-dev mailing listOpenStack-dev@lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Tang Yaguang Canonical Ltd. | www.ubuntu.com | www.canonical.com Mobile: +86 152 1094 6968 gpg key: 0x187F664F ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Hello, Does this mean that there is no real support for non-default domains in Horizon? Thanks, Roman On 5/5/2014 2:30 PM, Yaguang Tang wrote: I think this is an common requirement for users who want to keystone v3. I filed a blueprint for it https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac. 2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk roman.bodnarc...@indigitus.ch mailto:roman.bodnarc...@indigitus.ch: Hello, As far as I can tell, Horizon uses python-openstack-auth to authenticate users. In the same time, openstack_auth.KeystoneBackend.authenticate method generates only project scoped tokens. After enabling policy checks in Keystone, I tried to view a list of all projects on Admin panel and got *Error:*Unauthorized: Unable to retrieve project list. on dashboard and the next in Keystone log: enforce identity:list_projects: {'project_id': u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id': u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']} ... WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, identity:list_projects. This is expected, since user's token is scoped to project, and no access to domain-wide resources should be allowed. How to work-around this? Is it possible to use policy checks on Keystone side while working with Horizon? I am using stable/icehouse and Keystone API v3. Thanks, Roman ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org mailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Tang Yaguang Canonical Ltd. | www.ubuntu.com http://www.ubuntu.com/ | www.canonical.com http://www.canonical.com/ Mobile: +86 152 1094 6968 gpg key: 0x187F664F ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Project list with turned-on policy in Keystone
I think this is an common requirement for users who want to keystone v3. I filed a blueprint for it https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac. 2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk roman.bodnarc...@indigitus.ch: Hello, As far as I can tell, Horizon uses python-openstack-auth to authenticate users. In the same time, openstack_auth.KeystoneBackend.authenticate method generates only project scoped tokens. After enabling policy checks in Keystone, I tried to view a list of all projects on Admin panel and got *Error: *Unauthorized: Unable to retrieve project list. on dashboard and the next in Keystone log: enforce identity:list_projects: {'project_id': u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id': u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']} ... WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, identity:list_projects. This is expected, since user's token is scoped to project, and no access to domain-wide resources should be allowed. How to work-around this? Is it possible to use policy checks on Keystone side while working with Horizon? I am using stable/icehouse and Keystone API v3. Thanks, Roman ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Tang Yaguang Canonical Ltd. | www.ubuntu.com | www.canonical.com Mobile: +86 152 1094 6968 gpg key: 0x187F664F ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Hello, As far as I can tell, Horizon uses python-openstack-auth to authenticate users. In the same time, openstack_auth.KeystoneBackend.authenticate method generates only project scoped tokens. After enabling policy checks in Keystone, I tried to view a list of all projects on Admin panel and got *Error:*Unauthorized: Unable to retrieve project list. on dashboard and the next in Keystone log: enforce identity:list_projects: {'project_id': u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id': u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']} ... WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action, identity:list_projects. This is expected, since user's token is scoped to project, and no access to domain-wide resources should be allowed. How to work-around this? Is it possible to use policy checks on Keystone side while working with Horizon? I am using stable/icehouse and Keystone API v3. Thanks, Roman ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev