Re: [openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Roman,
It's not fully supported, right now domain, project ,user management isn't
supported within admin user or domain user, but you can login in with
domain user
and operate as a normal user.
2014-05-06 16:23 GMT+08:00 Roman Bodnarchuk :
> Hello,
>
> Does this mean that there is no real support for non-default domains in
> Horizon?
>
> Thanks,
> Roman
>
>
> On 5/5/2014 2:30 PM, Yaguang Tang wrote:
>
> I think this is an common requirement for users who want to keystone v3. I
> filed a blueprint for it
> https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.
>
>
> 2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk >:
>
>> Hello,
>>
>> As far as I can tell, Horizon uses python-openstack-auth to authenticate
>> users. In the same time, openstack_auth.KeystoneBackend.authenticate
>> method generates only project scoped tokens.
>>
>> After enabling policy checks in Keystone, I tried to view a list of all
>> projects on Admin panel and got "*Error: *Unauthorized: Unable to
>> retrieve project list." on dashboard and the next in Keystone log:
>>
>> enforce identity:list_projects: {'project_id':
>> u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
>> u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
>> ...
>> WARNING keystone.common.wsgi [-] You are not authorized to perform the
>> requested action, identity:list_projects.
>>
>> This is expected, since user's token is scoped to project, and no access
>> to domain-wide resources should be allowed.
>>
>> How to work-around this? Is it possible to use policy checks on Keystone
>> side while working with Horizon?
>>
>> I am using stable/icehouse and Keystone API v3.
>>
>> Thanks,
>> Roman
>>
>> ___
>> OpenStack-dev mailing list
>> OpenStack-dev@lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Tang Yaguang
>
> Canonical Ltd. | www.ubuntu.com | www.canonical.com
> Mobile: +86 152 1094 6968
> gpg key: 0x187F664F
>
>
>
> ___
> OpenStack-dev mailing
> listOpenStack-dev@lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Tang Yaguang
Canonical Ltd. | www.ubuntu.com | www.canonical.com
Mobile: +86 152 1094 6968
gpg key: 0x187F664F
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Hello,
Does this mean that there is no real support for non-default domains in
Horizon?
Thanks,
Roman
On 5/5/2014 2:30 PM, Yaguang Tang wrote:
I think this is an common requirement for users who want to keystone
v3. I filed a blueprint for it
https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.
2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk
mailto:roman.bodnarc...@indigitus.ch>>:
Hello,
As far as I can tell, Horizon uses python-openstack-auth to
authenticate users. In the same time,
openstack_auth.KeystoneBackend.authenticate method generates only
project scoped tokens.
After enabling policy checks in Keystone, I tried to view a list
of all projects on Admin panel and got "*Error:*Unauthorized:
Unable to retrieve project list." on dashboard and the next in
Keystone log:
enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
...
WARNING keystone.common.wsgi [-] You are not authorized to perform
the requested action, identity:list_projects.
This is expected, since user's token is scoped to project, and no
access to domain-wide resources should be allowed.
How to work-around this? Is it possible to use policy checks on
Keystone side while working with Horizon?
I am using stable/icehouse and Keystone API v3.
Thanks,
Roman
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Tang Yaguang
Canonical Ltd. | www.ubuntu.com
Re: [openstack-dev] [Horizon] Project list with turned-on policy in Keystone
I think this is an common requirement for users who want to keystone v3. I
filed a blueprint for it
https://blueprints.launchpad.net/horizon/+spec/domain-based-rbac.
2014-04-24 23:30 GMT+08:00 Roman Bodnarchuk :
> Hello,
>
> As far as I can tell, Horizon uses python-openstack-auth to authenticate
> users. In the same time, openstack_auth.KeystoneBackend.authenticate
> method generates only project scoped tokens.
>
> After enabling policy checks in Keystone, I tried to view a list of all
> projects on Admin panel and got "*Error: *Unauthorized: Unable to
> retrieve project list." on dashboard and the next in Keystone log:
>
> enforce identity:list_projects: {'project_id':
> u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
> u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
> ...
> WARNING keystone.common.wsgi [-] You are not authorized to perform the
> requested action, identity:list_projects.
>
> This is expected, since user's token is scoped to project, and no access
> to domain-wide resources should be allowed.
>
> How to work-around this? Is it possible to use policy checks on Keystone
> side while working with Horizon?
>
> I am using stable/icehouse and Keystone API v3.
>
> Thanks,
> Roman
>
> ___
> OpenStack-dev mailing list
> OpenStack-dev@lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
--
Tang Yaguang
Canonical Ltd. | www.ubuntu.com | www.canonical.com
Mobile: +86 152 1094 6968
gpg key: 0x187F664F
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Horizon] Project list with turned-on policy in Keystone
Hello,
As far as I can tell, Horizon uses python-openstack-auth to authenticate
users. In the same time, openstack_auth.KeystoneBackend.authenticate
method generates only project scoped tokens.
After enabling policy checks in Keystone, I tried to view a list of all
projects on Admin panel and got "*Error:*Unauthorized: Unable to
retrieve project list." on dashboard and the next in Keystone log:
enforce identity:list_projects: {'project_id':
u'80d91944f5af4c53ad5df4e386376e08', 'group_ids': [], 'user_id':
u'ed14fd91122b47d2a6f575499ed0c4bb', 'roles': [u'admin']}
...
WARNING keystone.common.wsgi [-] You are not authorized to perform the
requested action, identity:list_projects.
This is expected, since user's token is scoped to project, and no access
to domain-wide resources should be allowed.
How to work-around this? Is it possible to use policy checks on
Keystone side while working with Horizon?
I am using stable/icehouse and Keystone API v3.
Thanks,
Roman
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
