I'm sure additional feedback on those patches would be welcome and helpful toward getting them merged in Kilo
> On Mar 12, 2015, at 9:14 AM, Lei Zhang <zhang.lei....@gmail.com> wrote: > > Hi Lin, > > This two PS is what I wanted. Thx a lot. > > btw, is it possible that these PS finished in Kilo? > >> On Thu, Mar 12, 2015 at 5:41 PM, Lin Hua Cheng <os.lch...@gmail.com> wrote: >> Hi, >> >> The 'cloud_admin' policy file requires domain-scoped to work to work. >> >> Horizon does not currently support domain scope token yet. So yes, it is a >> gap in horizon at the moment. >> >> There are on-going patches to address this in horizon: >> - https://review.openstack.org/#/c/141153/ >> - https://review.openstack.org/#/c/148082/ >> >> Dan (esp) prepared a nicely written document on this should eventually work. >> >> -Lin >> >>> On Wed, Mar 11, 2015 at 7:33 PM, Lei Zhang <zhang.lei....@gmail.com> wrote: >>> is there anyone tryed this and successfully? >>> >>>> On Mon, Mar 9, 2015 at 4:25 PM, Lei Zhang <zhang.lei....@gmail.com> wrote: >>>> Hi guys, >>>> >>>> I am setting up the keytone v3 api. Now I meet a issue about the >>>> `cloud_admin` policy. >>>> >>>> Base on the >>>> http://www.florentflament.com/blog/setting-keystone-v3-domains.html >>>> article, I modify the cloud_admin policy to >>>> >>>> ``` >>>> "cloud_admin": "rule:admin_required and >>>> domain_id:ef0d30167f744401a0cbfcc938ea7d63", >>>> ``` >>>> >>>> But the cloud_admin don't work as expected. I failed to open all the >>>> identity panel ( like http://<host>/horizon/identity/domains/) >>>> Horizon tell me" Error: Unable to retrieve project list." >>>> And keystone log warning: >>>> >>>> ``` >>>> 2015-03-09 16:00:06.423 9415 DEBUG keystone.policy.backends.rules [-] >>>> enforce identity:list_user_projects: {'is_delegated_auth': False, >>>> 'access_token_id': None, 'user_id': u'6433222efd78459bb70ad9adbcfac418', >>>> 'roles': [u'_member_', u'admin'], 'trustee_id': None, 'trustor_id': None, >>>> 'consumer_id': None, 'token': <KeystoneToken >>>> (audit_id=DWsSa6yYSWi0ht9E7q4uhw, audit_chain_id=w_zLBBeFQ82KevtJrdKIJw) >>>> at 0x7f4503fab3c8>, 'project_id': u'4d170baaa89b4e46b239249eb5ec6b00', >>>> 'trust_id': None}, enforce >>>> /usr/lib/python2.7/dist-packages/keystone/policy/backends/rules.py:100 >>>> 2015-03-09 16:00:06.061 9410 WARNING keystone.common.wsgi [-] You are not >>>> authorized to perform the requested action: identity:list_projects >>>> (Disable debug mode to suppress these details.) >>>> ``` >>>> >>>> I make some debug and found that, the root cause is that the `context` >>>> variable in keystone has no `domain_id` field( like the above keystone >>>> log). So the `cloud_admin` rule failed. if i change the `cloud_admin` to >>>> following. It works as expected. >>>> >>>> ``` >>>> "cloud_admin": "rule:admin_required and >>>> user_id:6433222efd78459bb70ad9adbcfac418", >>>> ``` >>>> >>>> I found that in the keystone code[0], the domain_id only exist when it is >>>> a domain scope. But i believe that the horizon login token is a project >>>> one( I am not very sure this) >>>> >>>> ``` >>>> if token.project_scoped: >>>> auth_context['project_id'] = token.project_id >>>> elif token.domain_scoped: >>>> auth_context['domain_id'] = token.domain_id >>>> else: >>>> LOG.debug('RBAC: Proceeding without project or domain scope') >>>> >>>> ``` >>>> >>>> Is it a bug? or some wrong configuration? >>>> >>>> >>>> Following is my configuration. >>>> >>>> >>>> ``` >>>> # /etc/keystone/keystone.conf >>>> [DEFAULT] >>>> debug=true >>>> verbose=true >>>> log_dir=/var/log/keystone >>>> [assignment] >>>> driver = keystone.assignment.backends.sql.Assignment >>>> [database] >>>> connection=mysql://xxxx:xxxx@controller/keystone >>>> [identity] >>>> driver=keystone.identity.backends.sql.Identity >>>> [memcache] >>>> servers=controller1:11211,controller2:11211,controller3:1121 >>>> [token] >>>> provider=keystone.token.providers.uuid.Provider >>>> ``` >>>> >>>> ``` >>>> # /etc/openstack-dashboard/local_settings.py ( partly ) >>>> POLICY_FILES_PATH = "/etc/openstack-dashboard/" >>>> POLICY_FILES = { >>>> 'identity': 'keystone_policy.json', >>>> } >>>> OPENSTACK_HOST = "127.0.0.1" >>>> OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST >>>> OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" >>>> OPENSTACK_API_VERSIONS = { >>>> "data_processing": 1.1, >>>> "identity": 3, >>>> "volume": 2 >>>> } >>>> OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True >>>> OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'admin' >>>> ``` >>>> >>>> [0] >>>> https://github.com/openstack/keystone/blob/master/keystone/common/authorization.py#L58 >>>> >>>> -- >>>> Lei Zhang >>>> Blog: http://xcodest.me >>>> twitter/weibo: @jeffrey4l >>> >>> >>> >>> -- >>> Lei Zhang >>> Blog: http://xcodest.me >>> twitter/weibo: @jeffrey4l >>> >>> __________________________________________________________________________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > -- > Lei Zhang > Blog: http://xcodest.me > twitter/weibo: @jeffrey4l > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev