<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
		<id>https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Woodm</id>
		<title>OpenStack - User contributions [en]</title>
		<link rel="self" type="application/atom+xml" href="https://wiki.openstack.org/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Woodm"/>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/wiki/Special:Contributions/Woodm"/>
		<updated>2026-07-10T06:46:00Z</updated>
		<subtitle>User contributions</subtitle>
		<generator>MediaWiki 1.28.2</generator>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74471</id>
		<title>Horizon/DomainWorkFlow</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74471"/>
				<updated>2015-02-25T20:55:53Z</updated>
		
		<summary type="html">&lt;p&gt;Woodm: /* keystone v3 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Intro ==&lt;br /&gt;
 This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.&lt;br /&gt;
&lt;br /&gt;
=== Prerequisites ===&lt;br /&gt;
==== devstack ====&lt;br /&gt;
You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin account in keystone ====&lt;br /&gt;
If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin.  &lt;br /&gt;
One way to enable this account to grant your admin user access to the 'default' domain.&lt;br /&gt;
* Dig the admin token out of keystone.conf&lt;br /&gt;
  grep -i 'admin_token' /etc/keystone/keystone.conf&lt;br /&gt;
* Grant the admin access to the cloud admin domain&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://127.0.0.1:5000/v3/domains/default/users/&amp;lt;ADMIN_ID&amp;gt;/roles/&amp;lt;ADMIN_ROLE_ID&amp;gt;&lt;br /&gt;
Note:  If you are having trouble finding the ADMIN_ROLE_ID, you can find it with this command:&lt;br /&gt;
  mysql -D keystone -e 'select id from role where name = &amp;quot;admin&amp;quot;;'&lt;br /&gt;
&lt;br /&gt;
==== keystone policy.json file====&lt;br /&gt;
You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file:&lt;br /&gt;
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json&lt;br /&gt;
&lt;br /&gt;
Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json&lt;br /&gt;
Remember:  He who laughs last had a backup!&lt;br /&gt;
&lt;br /&gt;
old:&lt;br /&gt;
 ... &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:admin_domain_id&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
new:&lt;br /&gt;
 ...&lt;br /&gt;
 # use 'default' or whatever your cloud admin domain id is &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:default&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== memcached ====&lt;br /&gt;
*Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)&lt;br /&gt;
*The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)&lt;br /&gt;
*Horizon needs to be configured to use memcached&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 # We recommend you use memcached for development; otherwise after every reload&lt;br /&gt;
 # of the django development server, you will have to login again. To use&lt;br /&gt;
 # memcached set CACHES to something like&lt;br /&gt;
 CACHES = {&lt;br /&gt;
    'default': {&lt;br /&gt;
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',&lt;br /&gt;
        'LOCATION': '127.0.0.1:11211',&lt;br /&gt;
    }&lt;br /&gt;
 }&lt;br /&gt;
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== keystone v3  ====&lt;br /&gt;
Horizon needs to be configured to use keystone v3 and multi domain support&lt;br /&gt;
&lt;br /&gt;
Copy the keystone devstack's policy file: /etc/keyston/policy.json into your horizon directory:&lt;br /&gt;
horizon/openstack_dashboard/conf/keystone_policy.v3cloudsample.json&lt;br /&gt;
&lt;br /&gt;
Determine the default role name:&lt;br /&gt;
  mysql -D keystone -e 'select name from role where name like &amp;quot;%ember&amp;quot;;'&lt;br /&gt;
In my case it has changed from &amp;quot;_member_&amp;quot; to &amp;quot;Member&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 OPENSTACK_KEYSTONE_DEFAULT_ROLE = &amp;quot;Member&amp;quot;&lt;br /&gt;
 ...&lt;br /&gt;
 OPENSTACK_API_VERSIONS = { &amp;quot;identity&amp;quot;: 3, }&lt;br /&gt;
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True &lt;br /&gt;
 OPENSTACK_KEYSTONE_URL = &amp;quot;http://%s:5000/v3&amp;quot; % OPENSTACK_HOST&lt;br /&gt;
 ...&lt;br /&gt;
 POLICY_FILES = {&lt;br /&gt;
 #'identity': 'keystone_policy.json',&lt;br /&gt;
 'identity': 'keystone_policy.v3cloudsample.json',&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== django-openstack-auth ====&lt;br /&gt;
You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session.&lt;br /&gt;
https://review.openstack.org/#/c/141153/&lt;br /&gt;
&lt;br /&gt;
==== horizon ====&lt;br /&gt;
You'll need to pull down this patch in your horizon repo for horizon to understand multi-domain setups.&lt;br /&gt;
https://review.openstack.org/#/c/148082/&lt;br /&gt;
&lt;br /&gt;
=== Users ===&lt;br /&gt;
This page only considers three users&lt;br /&gt;
 TODO(esp): Add use cases for Cloud Admin and Domain Admin&lt;br /&gt;
* Cloud Admin&lt;br /&gt;
* Domain Admin&lt;br /&gt;
* User (_member_ role)&lt;br /&gt;
&lt;br /&gt;
==== Set up the cloud admin user ====&lt;br /&gt;
* Convert the admin user to be a Cloud Admin&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://127.0.0.1:5000/v3/domains/&amp;lt;DEFAULT DOMAIN&amp;gt;/users/&amp;lt;ADMIN USER ID&amp;gt;/roles/&amp;lt;ADMIN ROLE ID&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Workflow 1. Cloud Admin sets a Domain Context ===&lt;br /&gt;
[[File:Switch-domain-workflow-1.png]]&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin Logs in ====&lt;br /&gt;
[[File:1. Log In.png]]&lt;br /&gt;
==== Cloud Admin navigates to the Identity Dashboard and Domain panel ====&lt;br /&gt;
[[File:2. Identity-Domains.png]]&lt;br /&gt;
==== Cloud Admin switches Domain context ====&lt;br /&gt;
[[File:3. Set Domain Context.png]]&lt;/div&gt;</summary>
		<author><name>Woodm</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74465</id>
		<title>Horizon/DomainWorkFlow</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74465"/>
				<updated>2015-02-25T20:39:59Z</updated>
		
		<summary type="html">&lt;p&gt;Woodm: /* Prerequisites */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Intro ==&lt;br /&gt;
 This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.&lt;br /&gt;
&lt;br /&gt;
=== Prerequisites ===&lt;br /&gt;
==== devstack ====&lt;br /&gt;
You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin account in keystone ====&lt;br /&gt;
If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin.  &lt;br /&gt;
One way to enable this account to grant your admin user access to the 'default' domain.&lt;br /&gt;
* Dig the admin token out of keystone.conf&lt;br /&gt;
  grep -i 'admin_token' /etc/keystone/keystone.conf&lt;br /&gt;
* Grant the admin access to the cloud admin domain&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://127.0.0.1:5000/v3/domains/default/users/&amp;lt;ADMIN_ID&amp;gt;/roles/&amp;lt;ADMIN_ROLE_ID&amp;gt;&lt;br /&gt;
Note:  If you are having trouble finding the ADMIN_ROLE_ID, you can find it with this command:&lt;br /&gt;
  mysql -D keystone -e 'select id from role where name = &amp;quot;admin&amp;quot;;'&lt;br /&gt;
&lt;br /&gt;
==== keystone policy.json file====&lt;br /&gt;
You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file:&lt;br /&gt;
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json&lt;br /&gt;
&lt;br /&gt;
Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json&lt;br /&gt;
Remember:  He who laughs last had a backup!&lt;br /&gt;
&lt;br /&gt;
old:&lt;br /&gt;
 ... &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:admin_domain_id&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
new:&lt;br /&gt;
 ...&lt;br /&gt;
 # use 'default' or whatever your cloud admin domain id is &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:default&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== memcached ====&lt;br /&gt;
*Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)&lt;br /&gt;
*The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)&lt;br /&gt;
*Horizon needs to be configured to use memcached&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 # We recommend you use memcached for development; otherwise after every reload&lt;br /&gt;
 # of the django development server, you will have to login again. To use&lt;br /&gt;
 # memcached set CACHES to something like&lt;br /&gt;
 CACHES = {&lt;br /&gt;
    'default': {&lt;br /&gt;
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',&lt;br /&gt;
        'LOCATION': '127.0.0.1:11211',&lt;br /&gt;
    }&lt;br /&gt;
 }&lt;br /&gt;
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== keystone v3  ====&lt;br /&gt;
Horizon needs to be configured to use keystone v3 and multi domain support&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 OPENSTACK_API_VERSIONS = { &amp;quot;identity&amp;quot;: 3, }&lt;br /&gt;
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True &lt;br /&gt;
 OPENSTACK_KEYSTONE_URL = &amp;quot;http://%s:5000/v3&amp;quot; % OPENSTACK_HOST&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== django-openstack-auth ====&lt;br /&gt;
You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session.&lt;br /&gt;
https://review.openstack.org/#/c/141153/&lt;br /&gt;
&lt;br /&gt;
==== horizon ====&lt;br /&gt;
You'll need to pull down this patch in your horizon repo for horizon to understand multi-domain setups.&lt;br /&gt;
https://review.openstack.org/#/c/148082/&lt;br /&gt;
&lt;br /&gt;
=== Users ===&lt;br /&gt;
This page only considers three users&lt;br /&gt;
 TODO(esp): Add use cases for Cloud Admin and Domain Admin&lt;br /&gt;
* Cloud Admin&lt;br /&gt;
* Domain Admin&lt;br /&gt;
* User (_member_ role)&lt;br /&gt;
&lt;br /&gt;
==== Set up the cloud admin user ====&lt;br /&gt;
* Convert the admin user to be a Cloud Admin&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://127.0.0.1:5000/v3/domains/&amp;lt;DEFAULT DOMAIN&amp;gt;/users/&amp;lt;ADMIN USER ID&amp;gt;/roles/&amp;lt;ADMIN ROLE ID&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Workflow 1. Cloud Admin sets a Domain Context ===&lt;br /&gt;
[[File:Switch-domain-workflow-1.png]]&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin Logs in ====&lt;br /&gt;
[[File:1. Log In.png]]&lt;br /&gt;
==== Cloud Admin navigates to the Identity Dashboard and Domain panel ====&lt;br /&gt;
[[File:2. Identity-Domains.png]]&lt;br /&gt;
==== Cloud Admin switches Domain context ====&lt;br /&gt;
[[File:3. Set Domain Context.png]]&lt;/div&gt;</summary>
		<author><name>Woodm</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74463</id>
		<title>Horizon/DomainWorkFlow</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74463"/>
				<updated>2015-02-25T20:35:34Z</updated>
		
		<summary type="html">&lt;p&gt;Woodm: /* Set up the cloud admin user */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Intro ==&lt;br /&gt;
 This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.&lt;br /&gt;
&lt;br /&gt;
=== Prerequisites ===&lt;br /&gt;
==== devstack ====&lt;br /&gt;
You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin account in keystone ====&lt;br /&gt;
If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin.  &lt;br /&gt;
One way to enable this account to grant your admin user access to the 'default' domain.&lt;br /&gt;
* Dig the admin token out of keystone.conf&lt;br /&gt;
  grep -i 'admin_token' /etc/keystone/keystone.conf&lt;br /&gt;
* Grant the admin access to the cloud admin domain&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://127.0.0.1:5000/v3/domains/default/users/&amp;lt;ADMIN_ID&amp;gt;/roles/&amp;lt;ADMIN_ROLE_ID&amp;gt;&lt;br /&gt;
Note:  If you are having trouble finding the ADMIN_ROLE_ID, you can find it with this command:&lt;br /&gt;
  mysql -D keystone -e 'select id from role where name = &amp;quot;admin&amp;quot;;'&lt;br /&gt;
&lt;br /&gt;
==== keystone policy.json file====&lt;br /&gt;
You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file:&lt;br /&gt;
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json&lt;br /&gt;
&lt;br /&gt;
Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json&lt;br /&gt;
Remember:  He who laughs last had a backup!&lt;br /&gt;
&lt;br /&gt;
old:&lt;br /&gt;
 ... &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:admin_domain_id&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
new:&lt;br /&gt;
 ...&lt;br /&gt;
 # use 'default' or whatever your cloud admin domain id is &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:default&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== memcached ====&lt;br /&gt;
*Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)&lt;br /&gt;
*The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)&lt;br /&gt;
*Horizon needs to be configured to use memcached&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 # We recommend you use memcached for development; otherwise after every reload&lt;br /&gt;
 # of the django development server, you will have to login again. To use&lt;br /&gt;
 # memcached set CACHES to something like&lt;br /&gt;
 CACHES = {&lt;br /&gt;
    'default': {&lt;br /&gt;
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',&lt;br /&gt;
        'LOCATION': '127.0.0.1:11211',&lt;br /&gt;
    }&lt;br /&gt;
 }&lt;br /&gt;
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== keystone v3  ====&lt;br /&gt;
Horizon needs to be configured to use keystone v3 and multi domain support&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 OPENSTACK_API_VERSIONS = { &amp;quot;identity&amp;quot;: 3, }&lt;br /&gt;
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True &lt;br /&gt;
 OPENSTACK_KEYSTONE_URL = &amp;quot;http://%s:5000/v3&amp;quot; % OPENSTACK_HOST&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== django-openstack-auth ====&lt;br /&gt;
You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session.&lt;br /&gt;
https://review.openstack.org/#/c/141153/&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
=== Users ===&lt;br /&gt;
This page only considers three users&lt;br /&gt;
 TODO(esp): Add use cases for Cloud Admin and Domain Admin&lt;br /&gt;
* Cloud Admin&lt;br /&gt;
* Domain Admin&lt;br /&gt;
* User (_member_ role)&lt;br /&gt;
&lt;br /&gt;
==== Set up the cloud admin user ====&lt;br /&gt;
* Convert the admin user to be a Cloud Admin&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://127.0.0.1:5000/v3/domains/&amp;lt;DEFAULT DOMAIN&amp;gt;/users/&amp;lt;ADMIN USER ID&amp;gt;/roles/&amp;lt;ADMIN ROLE ID&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Workflow 1. Cloud Admin sets a Domain Context ===&lt;br /&gt;
[[File:Switch-domain-workflow-1.png]]&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin Logs in ====&lt;br /&gt;
[[File:1. Log In.png]]&lt;br /&gt;
==== Cloud Admin navigates to the Identity Dashboard and Domain panel ====&lt;br /&gt;
[[File:2. Identity-Domains.png]]&lt;br /&gt;
==== Cloud Admin switches Domain context ====&lt;br /&gt;
[[File:3. Set Domain Context.png]]&lt;/div&gt;</summary>
		<author><name>Woodm</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74462</id>
		<title>Horizon/DomainWorkFlow</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74462"/>
				<updated>2015-02-25T20:34:57Z</updated>
		
		<summary type="html">&lt;p&gt;Woodm: /* Users */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Intro ==&lt;br /&gt;
 This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.&lt;br /&gt;
&lt;br /&gt;
=== Prerequisites ===&lt;br /&gt;
==== devstack ====&lt;br /&gt;
You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin account in keystone ====&lt;br /&gt;
If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin.  &lt;br /&gt;
One way to enable this account to grant your admin user access to the 'default' domain.&lt;br /&gt;
* Dig the admin token out of keystone.conf&lt;br /&gt;
  grep -i 'admin_token' /etc/keystone/keystone.conf&lt;br /&gt;
* Grant the admin access to the cloud admin domain&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://127.0.0.1:5000/v3/domains/default/users/&amp;lt;ADMIN_ID&amp;gt;/roles/&amp;lt;ADMIN_ROLE_ID&amp;gt;&lt;br /&gt;
Note:  If you are having trouble finding the ADMIN_ROLE_ID, you can find it with this command:&lt;br /&gt;
  mysql -D keystone -e 'select id from role where name = &amp;quot;admin&amp;quot;;'&lt;br /&gt;
&lt;br /&gt;
==== keystone policy.json file====&lt;br /&gt;
You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file:&lt;br /&gt;
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json&lt;br /&gt;
&lt;br /&gt;
Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json&lt;br /&gt;
Remember:  He who laughs last had a backup!&lt;br /&gt;
&lt;br /&gt;
old:&lt;br /&gt;
 ... &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:admin_domain_id&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
new:&lt;br /&gt;
 ...&lt;br /&gt;
 # use 'default' or whatever your cloud admin domain id is &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:default&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== memcached ====&lt;br /&gt;
*Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)&lt;br /&gt;
*The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)&lt;br /&gt;
*Horizon needs to be configured to use memcached&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 # We recommend you use memcached for development; otherwise after every reload&lt;br /&gt;
 # of the django development server, you will have to login again. To use&lt;br /&gt;
 # memcached set CACHES to something like&lt;br /&gt;
 CACHES = {&lt;br /&gt;
    'default': {&lt;br /&gt;
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',&lt;br /&gt;
        'LOCATION': '127.0.0.1:11211',&lt;br /&gt;
    }&lt;br /&gt;
 }&lt;br /&gt;
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== keystone v3  ====&lt;br /&gt;
Horizon needs to be configured to use keystone v3 and multi domain support&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 OPENSTACK_API_VERSIONS = { &amp;quot;identity&amp;quot;: 3, }&lt;br /&gt;
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True &lt;br /&gt;
 OPENSTACK_KEYSTONE_URL = &amp;quot;http://%s:5000/v3&amp;quot; % OPENSTACK_HOST&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== django-openstack-auth ====&lt;br /&gt;
You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session.&lt;br /&gt;
https://review.openstack.org/#/c/141153/&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
=== Users ===&lt;br /&gt;
This page only considers three users&lt;br /&gt;
 TODO(esp): Add use cases for Cloud Admin and Domain Admin&lt;br /&gt;
* Cloud Admin&lt;br /&gt;
* Domain Admin&lt;br /&gt;
* User (_member_ role)&lt;br /&gt;
&lt;br /&gt;
==== Set up the cloud admin user ====&lt;br /&gt;
* Convert the admin user to be a Cloud Admin&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://192.168.56.102:5000/v3/domains/&amp;lt;DEFAULT DOMAIN&amp;gt;/users/&amp;lt;ADMIN USER ID&amp;gt;/roles/&amp;lt;ADMIN ROLE ID&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Workflow 1. Cloud Admin sets a Domain Context ===&lt;br /&gt;
[[File:Switch-domain-workflow-1.png]]&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin Logs in ====&lt;br /&gt;
[[File:1. Log In.png]]&lt;br /&gt;
==== Cloud Admin navigates to the Identity Dashboard and Domain panel ====&lt;br /&gt;
[[File:2. Identity-Domains.png]]&lt;br /&gt;
==== Cloud Admin switches Domain context ====&lt;br /&gt;
[[File:3. Set Domain Context.png]]&lt;/div&gt;</summary>
		<author><name>Woodm</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74458</id>
		<title>Horizon/DomainWorkFlow</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74458"/>
				<updated>2015-02-25T20:29:55Z</updated>
		
		<summary type="html">&lt;p&gt;Woodm: /* keystone policy.json file */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Intro ==&lt;br /&gt;
 This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.&lt;br /&gt;
&lt;br /&gt;
=== Prerequisites ===&lt;br /&gt;
==== devstack ====&lt;br /&gt;
You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin account in keystone ====&lt;br /&gt;
If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin.  &lt;br /&gt;
One way to enable this account to grant your admin user access to the 'default' domain.&lt;br /&gt;
* Dig the admin token out of keystone.conf&lt;br /&gt;
  grep -i 'admin_token' /etc/keystone/keystone.conf&lt;br /&gt;
* Grant the admin access to the cloud admin domain&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://127.0.0.1:5000/v3/domains/default/users/&amp;lt;ADMIN_ID&amp;gt;/roles/&amp;lt;ADMIN_ROLE_ID&amp;gt;&lt;br /&gt;
Note:  If you are having trouble finding the ADMIN_ROLE_ID, you can find it with this command:&lt;br /&gt;
  mysql -D keystone -e 'select id from role where name = &amp;quot;admin&amp;quot;;'&lt;br /&gt;
&lt;br /&gt;
==== keystone policy.json file====&lt;br /&gt;
You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file:&lt;br /&gt;
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json&lt;br /&gt;
&lt;br /&gt;
Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json&lt;br /&gt;
Remember:  He who laughs last had a backup!&lt;br /&gt;
&lt;br /&gt;
old:&lt;br /&gt;
 ... &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:admin_domain_id&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
new:&lt;br /&gt;
 ...&lt;br /&gt;
 # use 'default' or whatever your cloud admin domain id is &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:default&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== memcached ====&lt;br /&gt;
*Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)&lt;br /&gt;
*The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)&lt;br /&gt;
*Horizon needs to be configured to use memcached&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 # We recommend you use memcached for development; otherwise after every reload&lt;br /&gt;
 # of the django development server, you will have to login again. To use&lt;br /&gt;
 # memcached set CACHES to something like&lt;br /&gt;
 CACHES = {&lt;br /&gt;
    'default': {&lt;br /&gt;
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',&lt;br /&gt;
        'LOCATION': '127.0.0.1:11211',&lt;br /&gt;
    }&lt;br /&gt;
 }&lt;br /&gt;
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== keystone v3  ====&lt;br /&gt;
Horizon needs to be configured to use keystone v3 and multi domain support&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 OPENSTACK_API_VERSIONS = { &amp;quot;identity&amp;quot;: 3, }&lt;br /&gt;
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True &lt;br /&gt;
 OPENSTACK_KEYSTONE_URL = &amp;quot;http://%s:5000/v3&amp;quot; % OPENSTACK_HOST&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== django-openstack-auth ====&lt;br /&gt;
You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session.&lt;br /&gt;
https://review.openstack.org/#/c/141153/&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
=== Users ===&lt;br /&gt;
This page only considers three users&lt;br /&gt;
 TODO(esp): Add use cases for Cloud Admin and Domain Admin&lt;br /&gt;
* Cloud Admin&lt;br /&gt;
* Domain Admin&lt;br /&gt;
* User (_member_ role)&lt;br /&gt;
&lt;br /&gt;
=== Workflow 1. Cloud Admin sets a Domain Context ===&lt;br /&gt;
[[File:Switch-domain-workflow-1.png]]&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin Logs in ====&lt;br /&gt;
[[File:1. Log In.png]]&lt;br /&gt;
==== Cloud Admin navigates to the Identity Dashboard and Domain panel ====&lt;br /&gt;
[[File:2. Identity-Domains.png]]&lt;br /&gt;
==== Cloud Admin switches Domain context ====&lt;br /&gt;
[[File:3. Set Domain Context.png]]&lt;/div&gt;</summary>
		<author><name>Woodm</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74457</id>
		<title>Horizon/DomainWorkFlow</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74457"/>
				<updated>2015-02-25T20:27:51Z</updated>
		
		<summary type="html">&lt;p&gt;Woodm: /* Cloud Admin account in keystone */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Intro ==&lt;br /&gt;
 This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.&lt;br /&gt;
&lt;br /&gt;
=== Prerequisites ===&lt;br /&gt;
==== devstack ====&lt;br /&gt;
You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin account in keystone ====&lt;br /&gt;
If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin.  &lt;br /&gt;
One way to enable this account to grant your admin user access to the 'default' domain.&lt;br /&gt;
* Dig the admin token out of keystone.conf&lt;br /&gt;
  grep -i 'admin_token' /etc/keystone/keystone.conf&lt;br /&gt;
* Grant the admin access to the cloud admin domain&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://127.0.0.1:5000/v3/domains/default/users/&amp;lt;ADMIN_ID&amp;gt;/roles/&amp;lt;ADMIN_ROLE_ID&amp;gt;&lt;br /&gt;
Note:  If you are having trouble finding the ADMIN_ROLE_ID, you can find it with this command:&lt;br /&gt;
  mysql -D keystone -e 'select id from role where name = &amp;quot;admin&amp;quot;;'&lt;br /&gt;
&lt;br /&gt;
==== keystone policy.json file====&lt;br /&gt;
You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file:&lt;br /&gt;
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json&lt;br /&gt;
&lt;br /&gt;
Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json&lt;br /&gt;
 ... &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:admin_domain_id&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
 ...&lt;br /&gt;
 # use 'default' or whatever your cloud admin domain id is &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:default&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== memcached ====&lt;br /&gt;
*Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)&lt;br /&gt;
*The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)&lt;br /&gt;
*Horizon needs to be configured to use memcached&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 # We recommend you use memcached for development; otherwise after every reload&lt;br /&gt;
 # of the django development server, you will have to login again. To use&lt;br /&gt;
 # memcached set CACHES to something like&lt;br /&gt;
 CACHES = {&lt;br /&gt;
    'default': {&lt;br /&gt;
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',&lt;br /&gt;
        'LOCATION': '127.0.0.1:11211',&lt;br /&gt;
    }&lt;br /&gt;
 }&lt;br /&gt;
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== keystone v3  ====&lt;br /&gt;
Horizon needs to be configured to use keystone v3 and multi domain support&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 OPENSTACK_API_VERSIONS = { &amp;quot;identity&amp;quot;: 3, }&lt;br /&gt;
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True &lt;br /&gt;
 OPENSTACK_KEYSTONE_URL = &amp;quot;http://%s:5000/v3&amp;quot; % OPENSTACK_HOST&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== django-openstack-auth ====&lt;br /&gt;
You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session.&lt;br /&gt;
https://review.openstack.org/#/c/141153/&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
=== Users ===&lt;br /&gt;
This page only considers three users&lt;br /&gt;
 TODO(esp): Add use cases for Cloud Admin and Domain Admin&lt;br /&gt;
* Cloud Admin&lt;br /&gt;
* Domain Admin&lt;br /&gt;
* User (_member_ role)&lt;br /&gt;
&lt;br /&gt;
=== Workflow 1. Cloud Admin sets a Domain Context ===&lt;br /&gt;
[[File:Switch-domain-workflow-1.png]]&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin Logs in ====&lt;br /&gt;
[[File:1. Log In.png]]&lt;br /&gt;
==== Cloud Admin navigates to the Identity Dashboard and Domain panel ====&lt;br /&gt;
[[File:2. Identity-Domains.png]]&lt;br /&gt;
==== Cloud Admin switches Domain context ====&lt;br /&gt;
[[File:3. Set Domain Context.png]]&lt;/div&gt;</summary>
		<author><name>Woodm</name></author>	</entry>

	<entry>
		<id>https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74456</id>
		<title>Horizon/DomainWorkFlow</title>
		<link rel="alternate" type="text/html" href="https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&amp;diff=74456"/>
				<updated>2015-02-25T20:25:34Z</updated>
		
		<summary type="html">&lt;p&gt;Woodm: /* Cloud Admin account in keystone */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Intro ==&lt;br /&gt;
 This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.&lt;br /&gt;
&lt;br /&gt;
=== Prerequisites ===&lt;br /&gt;
==== devstack ====&lt;br /&gt;
You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin account in keystone ====&lt;br /&gt;
If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin.  &lt;br /&gt;
One way to enable this account to grant your admin user access to the 'default' domain.&lt;br /&gt;
* Dig the admin token out of keystone.conf&lt;br /&gt;
  grep -i 'admin_token' /etc/keystone/keystone.conf&lt;br /&gt;
* Grant the admin access to the cloud admin domain&lt;br /&gt;
  curl -s -H &amp;quot;X-Auth-Token: &amp;lt;TOKEN&amp;gt;&amp;quot; -X PUT http://127.0.0.1:5000/v3/domains/default/users/&amp;lt;ADMIN_ID&amp;gt;/roles/&amp;lt;ADMIN_ROLE_ID&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==== keystone policy.json file====&lt;br /&gt;
You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file:&lt;br /&gt;
https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json&lt;br /&gt;
&lt;br /&gt;
Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json&lt;br /&gt;
 ... &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:admin_domain_id&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
 ...&lt;br /&gt;
 # use 'default' or whatever your cloud admin domain id is &lt;br /&gt;
 &amp;quot;cloud_admin&amp;quot;: &amp;quot;rule:admin_required and domain_id:default&amp;quot;,&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== memcached ====&lt;br /&gt;
*Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)&lt;br /&gt;
*The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)&lt;br /&gt;
*Horizon needs to be configured to use memcached&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 # We recommend you use memcached for development; otherwise after every reload&lt;br /&gt;
 # of the django development server, you will have to login again. To use&lt;br /&gt;
 # memcached set CACHES to something like&lt;br /&gt;
 CACHES = {&lt;br /&gt;
    'default': {&lt;br /&gt;
        'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',&lt;br /&gt;
        'LOCATION': '127.0.0.1:11211',&lt;br /&gt;
    }&lt;br /&gt;
 }&lt;br /&gt;
 SESSION_ENGINE = 'django.contrib.sessions.backends.cache'&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== keystone v3  ====&lt;br /&gt;
Horizon needs to be configured to use keystone v3 and multi domain support&lt;br /&gt;
&lt;br /&gt;
local_settings.py&lt;br /&gt;
 ...&lt;br /&gt;
 OPENSTACK_API_VERSIONS = { &amp;quot;identity&amp;quot;: 3, }&lt;br /&gt;
 OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True &lt;br /&gt;
 OPENSTACK_KEYSTONE_URL = &amp;quot;http://%s:5000/v3&amp;quot; % OPENSTACK_HOST&lt;br /&gt;
 ...&lt;br /&gt;
&lt;br /&gt;
==== django-openstack-auth ====&lt;br /&gt;
You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session.&lt;br /&gt;
https://review.openstack.org/#/c/141153/&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
=== Users ===&lt;br /&gt;
This page only considers three users&lt;br /&gt;
 TODO(esp): Add use cases for Cloud Admin and Domain Admin&lt;br /&gt;
* Cloud Admin&lt;br /&gt;
* Domain Admin&lt;br /&gt;
* User (_member_ role)&lt;br /&gt;
&lt;br /&gt;
=== Workflow 1. Cloud Admin sets a Domain Context ===&lt;br /&gt;
[[File:Switch-domain-workflow-1.png]]&lt;br /&gt;
&lt;br /&gt;
==== Cloud Admin Logs in ====&lt;br /&gt;
[[File:1. Log In.png]]&lt;br /&gt;
==== Cloud Admin navigates to the Identity Dashboard and Domain panel ====&lt;br /&gt;
[[File:2. Identity-Domains.png]]&lt;br /&gt;
==== Cloud Admin switches Domain context ====&lt;br /&gt;
[[File:3. Set Domain Context.png]]&lt;/div&gt;</summary>
		<author><name>Woodm</name></author>	</entry>

	</feed>