Revision history [back]

click to hide/show revision 1
initial version

Does Horizon support domain admin?

Hello Horizon community group,

I'm trying to use horizon with a deployment with domains support (using v3 keystone api and policy.v3cloudsample.json as a reference for policy.json for keystone). I figured out that I can't find a way to login to Horizon with a user who is assigned as an admin for domain, not for project. Is it possible with a Horizon at all? Does Horizon support admin functionality for deployment with a domains and with the appropriate keystone policy.json? Did I miss something important in the documentation?

Being a project admin doesn't help since obviously only cloud admin should be able to perform some operation like list domains. And according the keystone, cloud admin is a user who is assigned as an admin for specific domain. See below the rules for the cloud admin definition in keystone (important is that domain_id is passed to rule checker only if token is got with a domain scope, not a project one, or if query is specified in the URL, which is different case). "admin_required": "role:admin", "cloud_admin": "rule:admin_required and domain_id:admin_domain_id", "identity:get_domain": "rule:cloud_admin", "identity:list_domains": "rule:cloud_admin", "identity:create_domain": "rule:cloud_admin", "identity:update_domain": "rule:cloud_admin", "identity:delete_domain": "rule:cloud_admin",

As a result Horizon constantly gets 403 ("You are not authorized to perform the requested action, identity:list_domains.") answer when try to list domains, list projects and other.

Generally it seems that some features, essential for domain level administration, are missed. Like: 1. Be able to work with a token with a domain scope, not a project scope 2. As a domain admin I should be able to manage only projects, users and other resources owned by the domain only (so queries in some URLs are required, like curl -X GET -H "X-Auth-Token:$MYTOKEN" )

Thanks in advance.