Does Horizon support domain admin?

asked 2014-01-28 22:11:20 -0500

skashaba gravatar image

Hello Horizon community group,

I'm trying to use horizon with a deployment with domains support (using v3 keystone api and policy.v3cloudsample.json as a reference for policy.json for keystone). I figured out that I can't find a way to login to Horizon with a user who is assigned as an admin for domain, not for project. Is it possible with a Horizon at all? Does Horizon support admin functionality for deployment with a domains and with the appropriate keystone policy.json? Did I miss something important in the documentation?

Being a project admin doesn't help since obviously only cloud admin should be able to perform some operation like list domains. And according the keystone, cloud admin is a user who is assigned as an admin for specific domain. See below the rules for the cloud admin definition in keystone (important is that domain_id is passed to rule checker only if token is got with a domain scope, not a project one, or if query is specified in the URL, which is different case). "admin_required": "role:admin", "cloud_admin": "rule:admin_required and domain_id:admin_domain_id", "identity:get_domain": "rule:cloud_admin", "identity:list_domains": "rule:cloud_admin", "identity:create_domain": "rule:cloud_admin", "identity:update_domain": "rule:cloud_admin", "identity:delete_domain": "rule:cloud_admin",

As a result Horizon constantly gets 403 ("You are not authorized to perform the requested action, identity:list_domains.") answer when try to list domains, list projects and other.

Generally it seems that some features, essential for domain level administration, are missed. Like: 1. Be able to work with a token with a domain scope, not a project scope 2. As a domain admin I should be able to manage only projects, users and other resources owned by the domain only (so queries in some URLs are required, like curl -X GET -H "X-Auth-Token:$MYTOKEN" )

Thanks in advance.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-10-22 07:37:23 -0500

mathias gravatar image

What's the status here more than a year later? :)

edit flag offensive delete link more

answered 2014-02-09 23:53:35 -0500

david-lyle gravatar image

Not currently. Right now the Identity information is in the Admin dashboard. This is guarded by a role check of 'admin'.

The first step to allowing this to work, is update the openstack_dashboard/conf/ file contents to match that of you keystone server. The second is to make the Identity panels navigable by someone other than admin. Third is add policy checks to the data loading in those panels.

Along those very lines, the is a Blueprint, to do #2 and #3 with code up for review, you may want to check out. (

Hope that helps.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-01-28 22:11:20 -0500

Seen: 670 times

Last updated: Oct 22 '15