Jump to: navigation, search

Horizon/DomainWorkFlow

< Horizon
Revision as of 20:34, 25 February 2015 by Woodm (talk | contribs) (Users)

Intro

This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.

Prerequisites

devstack

You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.

Cloud Admin account in keystone

If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin. One way to enable this account to grant your admin user access to the 'default' domain.

  • Dig the admin token out of keystone.conf
 grep -i 'admin_token' /etc/keystone/keystone.conf
  • Grant the admin access to the cloud admin domain
 curl -s -H "X-Auth-Token: <TOKEN>" -X PUT http://127.0.0.1:5000/v3/domains/default/users/<ADMIN_ID>/roles/<ADMIN_ROLE_ID>

Note: If you are having trouble finding the ADMIN_ROLE_ID, you can find it with this command: 

 mysql -D keystone -e 'select id from role where name = "admin";'

keystone policy.json file

You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json Remember: He who laughs last had a backup!

old: 

... 
"cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
...

new: 

...
# use 'default' or whatever your cloud admin domain id is 
"cloud_admin": "rule:admin_required and domain_id:default",
...

memcached

  • Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)
  • The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)
  • Horizon needs to be configured to use memcached

local_settings.py 

...
# We recommend you use memcached for development; otherwise after every reload
# of the django development server, you will have to login again. To use
# memcached set CACHES to something like
CACHES = {
   'default': {
       'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
       'LOCATION': '127.0.0.1:11211',
   }
}
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
...

keystone v3

Horizon needs to be configured to use keystone v3 and multi domain support

local_settings.py 

...
OPENSTACK_API_VERSIONS = { "identity": 3, }
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True 
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
...

django-openstack-auth

You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session. https://review.openstack.org/#/c/141153/


Users

This page only considers three users 

TODO(esp): Add use cases for Cloud Admin and Domain Admin
  • Cloud Admin
  • Domain Admin
  • User (_member_ role)

Set up the cloud admin user

  • Convert the admin user to be a Cloud Admin
 curl -s -H "X-Auth-Token: <TOKEN>" -X PUT http://192.168.56.102:5000/v3/domains/<DEFAULT DOMAIN>/users/<ADMIN USER ID>/roles/<ADMIN ROLE ID>

Workflow 1. Cloud Admin sets a Domain Context

Switch-domain-workflow-1.png

Cloud Admin Logs in

1. Log In.png

Cloud Admin navigates to the Identity Dashboard and Domain panel

2. Identity-Domains.png

Cloud Admin switches Domain context

3. Set Domain Context.png

Retrieved from "https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&oldid=74462"