Jump to: navigation, search


< Horizon
Revision as of 18:23, 22 January 2015 by Dan Nguyen (talk | contribs) (Cloud Admin impersonates a Domain or switches Domain context)


This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.



You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.

Cloud Admin account in keystone

If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin. One way to enable this account to grant your admin user access to the 'default' domain.

  • Authenticate to keystone and retrieve admin token from the v2 API
  • Grant the admin access to the cloud admin domain
 curl -s -H "X-Auth-Token: <TOKEN>" -X PUT<ADMIN_ID>/roles/<ADMIN_ROLE_ID>

keystone policy.json file

You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json

"cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
# use 'default' or whatever your cloud admin domain id is 
"cloud_admin": "rule:admin_required and domain_id:default",


  • Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)
  • The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)
  • Horizon needs to be configured to use memcached


# We recommend you use memcached for development; otherwise after every reload
# of the django development server, you will have to login again. To use
# memcached set CACHES to something like
   'default': {
       'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
       'LOCATION': '',
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'

keystone v3

Horizon needs to be configured to use keystone v3 and multi domain support


OPENSTACK_API_VERSIONS = { "identity": 3, }


You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session. https://review.openstack.org/#/c/141153/


This page only considers three users

  • Cloud Admin
  • Domain Admin
  • User (_member_ role)

Workflow 1. Cloud Admin sets a Domain Context


Cloud Admin Logs in

1. Log In.png

Cloud Admin navigates to the Identity Dashboard and Domain panel

2. Identity-Domains.png

Cloud Admin switches Domain context

3. Set Domain Context.png