domain version of >dashboards< keystone_policy.json

asked 2017-02-03 05:37:39 -0600

theque42 gravatar image

I am running with Identity v3 and have finally gotten some better results with domain policies, from CLI at least

But during my troubleshooting of dashboard issues, I found notes saying that the policy files used by horizon must match the ones used by for instance keystone.

Well, there is NO indication in the installation description for horizon at (http://docs.openstack.org/mitaka/inst...) that I need to update/sync these, when I use domains.

Looking at the source: https://github.com/openstack/horizon, I cant find any version of a domains enabled copy.

So are you just supposed to use https://github.com/openstack/keystone..., and copy it for both keystone and horizon? (Updated with domain_id for your cloud admin domains of course)

It doesnt help any way, if my goal is to have a non-default domain as the global domain-wide admin-domain, where a user with admin-role on both domain and project level, can manage ALL domains. Horizon will only show the single domain the user belongs to, and its single project with admin role credentials.

Seems like mitaka*dashboard is not capable of this?

(Logging in as admin/default-domain WILL show all domains, since I have two domains configured for cloud wide domains)

    [root@ctrl keystone(cloudAdmin)]# grep "cloud_ad.*domain_id:" policy.json
    "cloud_admin": "role:admin and (is_admin_project:True or domain_id:bf18971c27f845c4b05194b3f91ced85 or domain_id:default)",
MasterCloud[lab4]:cloudAdmin@
[root@ctrl keystone(cloudAdmin)]# oo domain list
+----------------------------------+--------------+---------+--------------------------+
| ID                               | Name         | Enabled | Description              |
+----------------------------------+--------------+---------+--------------------------+
| 9b08c409450f4950a3c6ab69b574f429 | heat         | True    | Stack projects and users |
| bf18971c27f845c4b05194b3f91ced85 | MasterCloud  | True    |                          |
| d08c7105370d4629a6d3db3abf18e0a3 | StudentCloud | True    |                          |
| default                          | Default      | True    | The default domain       |
+----------------------------------+--------------+---------+--------------------------+
MasterCloud[lab4]:cloudAdmin@
[root@ctrl keystone(cloudAdmin)]# openstack role assignment list --user cloudAdmin | $REGEXP2NAMES  | grep admin
| admin_Role                       | cloudAdmin_User                  |       | Zion_Prj                         |                                  | False     |
| admin_Role                       | cloudAdmin_User                  |       |                                  | MasterCloud_Dom                  | False     |

Or should it work?

edit retag flag offensive close merge delete