I am on Ocata with Shibboleth auth enabled. I noticed that Federated users with the admin role no longer have authorization to use the Admin** panels in Horizon related to Nova, Cinder and Neutron. All regular Identity and Project tabs function, and there are no problems with authorization for local admin users.
----- These Admin tabs work: Hypervisors, Host Aggregates, Flavors, Images, Defaults, Metadata, System Information These result in logout: Instances, Volumes, Networks, Routers, Floating IPs This is not present: Overview ----- The policies are vanilla from the CentOS/RDO openstack-dashboard RPMs: openstack-dashboard-11.0.0-1.el7.noarch python-django-horizon-11.0.0-1.el7.noarch python2-keystonemiddleware-4.14.0-1.el7.noarch python2-keystoneclient-3.10.0-1.el7.noarch openstack-keystone-11.0.0-1.el7.noarch python2-keystoneauth1-2.18.0-1.el7.noarch python-keystone-11.0.0-1.el7.noarch The errors I see in logs are similar to: ==> /var/log/horizon/horizon.log <== 2017-03-07 18:24:54,961 13745 ERROR horizon.exceptions Unauthorized: Traceback (most recent call last): File "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/floating_ips/views.py", line 53, in get_tenant_list tenants, has_more = api.keystone.tenant_list(request) File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 351, in tenant_list manager = VERSIONS.get_project_manager(request, admin=admin) File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 61, in get_project_manager manager = keystoneclient(*args, **kwargs).projects File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 170, in keystoneclient raise exceptions.NotAuthorized NotAuthorized Cheers, -E -- Evan F. Bollig, PhD Scientific Computing Consultant, Application Developer | Scientific Computing Solutions (SCS) Minnesota Supercomputing Institute | msi.umn.edu University of Minnesota | umn.edu boll0...@umn.edu | 612-624-1447 | Walter Lib Rm 556 __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev