Horizon/DomainWorkFlow

Intro
This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.

devstack
You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.

Cloud Admin account in keystone
If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin. One way to enable this account to grant your admin user access to the 'default' domain. grep -i 'admin_token' /etc/keystone/keystone.conf curl -s -H "X-Auth-Token: " -X PUT http://127.0.0.1:5000/v3/domains/default/users//roles/ Note: If you are having trouble finding the ADMIN_ID, you can find it with this command: mysql -D keystone -e 'select id from user where name = "admin";' Note: If you are having trouble finding the ADMIN_ROLE_ID, you can find it with this command: mysql -D keystone -e 'select id from role where name = "admin";'
 * Dig the admin token out of keystone.conf
 * Grant the admin access to the cloud admin domain

keystone policy.json file
You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json Remember: He who laughs last had a backup!

old: ... "cloud_admin": "rule:admin_required and domain_id:admin_domain_id", ... new: ... "cloud_admin": "rule:admin_required and domain_id:default", ...
 * 1) use 'default' or whatever your cloud admin domain id is

memcached

 * Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)
 * The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)
 * Horizon needs to be configured to use memcached

local_settings.py ... CACHES = { 'default': { 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', 'LOCATION': '127.0.0.1:11211', } } SESSION_ENGINE = 'django.contrib.sessions.backends.cache' ...
 * 1) We recommend you use memcached for development; otherwise after every reload
 * 2) of the django development server, you will have to login again. To use
 * 3) memcached set CACHES to something like

keystone v3
Horizon needs to be configured to use keystone v3 and multi domain support

Copy the keystone devstack's policy file: /etc/keyston/policy.json into your horizon directory: horizon/openstack_dashboard/conf/keystone_policy.v3cloudsample.json

Determine the default role name: mysql -D keystone -e 'select name from role where name like "%ember";' In my case it has changed from "_member_" to "Member".

local_settings.py ... OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member" ... OPENSTACK_API_VERSIONS = { "identity": 3, } OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'default' OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST ... POLICY_FILES = { 'identity': 'keystone_policy.v3cloudsample.json', ...
 * 1) 'identity': 'keystone_policy.json',

django-openstack-auth
You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session. https://review.openstack.org/#/c/141153/

horizon
You'll need to pull down this patch in your horizon repo for horizon to understand multi-domain setups. https://review.openstack.org/#/c/148082/

keystone
Allows a Domain Admin to list role assignments without a project token https://review.openstack.org/#/c/180846/

keystone client
Allows a Domain Admin to list role assignments without a project token https://review.openstack.org/#/c/188184/

Users
This page only considers three users TODO(esp): Add use cases for Cloud Admin and Domain Admin
 * Cloud Admin
 * Domain Admin
 * User (_member_ role)

Set up the cloud admin user
curl -s -H "X-Auth-Token: " -X PUT http://127.0.0.1:5000/v3/domains//users//roles/
 * Convert the admin user to be a Cloud Admin