Does Horizon support domain admin?

Asked by Sergii Kashaba

Hello Horizon community group,

I'm trying to use horizon with a deployment with domains support (using v3 keystone api and policy.v3cloudsample.json as a reference for policy.json for keystone). I figured out that I can't find a way to login to Horizon with a user who is assigned as an admin for domain, not for project. Is it possible with a Horizon at all? Does Horizon support admin functionality for deployment with a domains and with the appropriate keystone policy.json? Did I miss something important in the documentation?

Being a project admin doesn't help since obviously only cloud admin should be able to perform some operation like list domains. And according the keystone, cloud admin is a user who is assigned as an admin for specific domain. See below the rules for the cloud admin definition in keystone (important is that domain_id is passed to rule checker only if token is got with a domain scope, not a project one, or if query is specified in the URL, which is different case).
    "admin_required": "role:admin",
    "cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
    "identity:get_domain": "rule:cloud_admin",
    "identity:list_domains": "rule:cloud_admin",
    "identity:create_domain": "rule:cloud_admin",
    "identity:update_domain": "rule:cloud_admin",
    "identity:delete_domain": "rule:cloud_admin",

As a result Horizon constantly gets 403 ("You are not authorized to perform the requested action, identity:list_domains.") answer when try to list domains, list projects and other.

Generally it seems that some features, essential for domain level administration, are missed. Like:
1. Be able to work with a token with a domain scope, not a project scope
2. As a domain admin I should be able to manage only projects, users and other resources owned by the domain only (so queries in some URLs are required, like curl -X GET -H "X-Auth-Token:$MYTOKEN" )

Thanks in advance.

Question information

English Edit question
OpenStack Dashboard (Horizon) Edit question
No assignee Edit question
Last query:
Last reply:
Revision history for this message
David Lyle (david-lyle) said :

Not currently. Right now the Identity information is in the Admin dashboard. This is guarded by a role check of 'admin'.

The first step to allowing this to work, is update the openstack_dashboard/conf/ file contents to match that of you keystone server. The second is to make the Identity panels navigable by someone other than admin. Third is add policy checks to the data loading in those panels.

Along those very lines, the is a Blueprint, to do #2 and #3 with code up for review, you may want to check out.

Hope that helps.

Can you help with this problem?

Provide an answer of your own, or ask Sergii Kashaba for more information if necessary.

To post a message you must log in.