domain version of >dashboards< keystone_policy.json [closed]

asked 2017-02-03 05:37:39 -0500

theque42 gravatar image

I am running with Identity v3 and have finally gotten some better results with domain policies, from CLI at least

But during my troubleshooting of dashboard issues, I found notes saying that the policy files used by horizon must match the ones used by for instance keystone.

Well, there is NO indication in the installation description for horizon at (http://docs.openstack.org/mitaka/inst...) that I need to update/sync these, when I use domains.

Looking at the source: https://github.com/openstack/horizon, I cant find any version of a domains enabled copy.

So are you just supposed to use https://github.com/openstack/keystone..., and copy it for both keystone and horizon? (Updated with domain_id for your cloud admin domains of course)

It doesnt help any way, if my goal is to have a non-default domain as the global domain-wide admin-domain, where a user with admin-role on both domain and project level, can manage ALL domains. Horizon will only show the single domain the user belongs to, and its single project with admin role credentials.

Seems like mitaka*dashboard is not capable of this?

(Logging in as admin/default-domain WILL show all domains, since I have two domains configured for cloud wide domains)

    [root@ctrl keystone(cloudAdmin)]# grep "cloud_ad.*domain_id:" policy.json
    "cloud_admin": "role:admin and (is_admin_project:True or domain_id:bf18971c27f845c4b05194b3f91ced85 or domain_id:default)",
MasterCloud[lab4]:cloudAdmin@
[root@ctrl keystone(cloudAdmin)]# oo domain list
+----------------------------------+--------------+---------+--------------------------+
| ID                               | Name         | Enabled | Description              |
+----------------------------------+--------------+---------+--------------------------+
| 9b08c409450f4950a3c6ab69b574f429 | heat         | True    | Stack projects and users |
| bf18971c27f845c4b05194b3f91ced85 | MasterCloud  | True    |                          |
| d08c7105370d4629a6d3db3abf18e0a3 | StudentCloud | True    |                          |
| default                          | Default      | True    | The default domain       |
+----------------------------------+--------------+---------+--------------------------+
MasterCloud[lab4]:cloudAdmin@
[root@ctrl keystone(cloudAdmin)]# openstack role assignment list --user cloudAdmin | $REGEXP2NAMES  | grep admin
| admin_Role                       | cloudAdmin_User                  |       | Zion_Prj                         |                                  | False     |
| admin_Role                       | cloudAdmin_User                  |       |                                  | MasterCloud_Dom                  | False     |

Or should it work?

edit retag flag offensive reopen merge delete

Closed for the following reason question is not relevant or outdated by mary_grace
close date 2017-12-14 15:13:55.331204

Comments

theque42 - This question refers to a version which has been EOL'ed. If the issue is still existing with a more recent version, please open a new question with updated details. Here is the list of current OpenStack releases: https://releases.openstack.org

mary_grace gravatar imagemary_grace ( 2017-12-14 15:13:45 -0500 )edit