Jump to: navigation, search

Horizon/DomainWorkFlow

< Horizon
Revision as of 19:14, 22 January 2015 by Dan Nguyen (talk | contribs)

Intro

This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.

Prerequisites

devstack

You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.

Cloud Admin account in keystone

If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin. One way to enable this account to grant your admin user access to the 'default' domain.

  • Authenticate to keystone and retrieve admin token from the v2 API
  • Grant the admin access to the cloud admin domain
 curl -s -H "X-Auth-Token: <TOKEN>" -X PUT http://127.0.0.1:5000/v3/domains/default/users/<ADMIN_ID>/roles/<ADMIN_ROLE_ID>

keystone policy.json file

You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json 

... 
"cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
...

...
# use 'default' or whatever your cloud admin domain id is 
"cloud_admin": "rule:admin_required and domain_id:default",
...

memcached

  • Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)
  • The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)
  • Horizon needs to be configured to use memcached

local_settings.py 

...
# We recommend you use memcached for development; otherwise after every reload
# of the django development server, you will have to login again. To use
# memcached set CACHES to something like
CACHES = {
   'default': {
       'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
       'LOCATION': '127.0.0.1:11211',
   }
}
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
...

keystone v3

Horizon needs to be configured to use keystone v3 and multi domain support

local_settings.py 

...
OPENSTACK_API_VERSIONS = { "identity": 3, }
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True 
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
...

django-openstack-auth

You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session. https://review.openstack.org/#/c/141153/


Users

This page only considers three users 

TODO(esp): Add use cases for Cloud Admin and Domain Admin
  • Cloud Admin
  • Domain Admin
  • User (_member_ role)

Workflow 1. Cloud Admin sets a Domain Context

Switch-domain-workflow-1.png

Cloud Admin Logs in

1. Log In.png

Cloud Admin navigates to the Identity Dashboard and Domain panel

2. Identity-Domains.png

Cloud Admin switches Domain context

3. Set Domain Context.png

Retrieved from "https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&oldid=72236"