Hi Sergey, The policies in github are expected to be this way. For many environments, Domains are used to separate users (including domain admins) from doing bad things to each other. Restricting access to the list of all domains in the cloud is just one aspect of this separation, so that a domain admin can't get information about other domains in the cloud. If that's not a concern in your environment, you can certainly modify the policies for your own needs. Modifying the policies for specific situations is very common.
The Horizon code you reference shouldn't cause problems for a domain admin, as it's intended to check if the user has access to list domains before attempting the list_domains call to keystone. If everything is set up properly, the domain admin should see the Domains section in the Horizon left nav and see their single domain on the Domains page. If you're seeing issues beyond that, please check out this blog post that walks through the setup to avoid common issues: http://www.symantec.com/connect/blogs/domain-support-horizon-here Thanks, Brad From: Сергей Филатов <[email protected]<mailto:[email protected]>> Date: Wednesday, September 7, 2016 at 6:15 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [Openstack] [Horizon][Keystone] list_domains action logging into dashboard Hi all, I’ve set up keystone V3 policies and enabled Multidomain attribute in horizon. When I’m logging into horizon as domain admin horizon executes domain_lookup function which performs policy.check((("identity", "identity:list_domains"),), request) And by default keystone v3 policies enable list_domains only for cloud_admin user. So I assume there’s a bug in either horizon or keystone V3 policies. Or am I missing the point? ..Sergey Filatov
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
