Jump to: navigation, search

Horizon/DomainWorkFlow

Intro

This wiki describes how to enable Domain Scoped Token support in Horizon and how to navigate the existing work flows.

Prerequisites

devstack

You'll need to have keystone running in a VM or somewhere you can reach it from Horizon.

Cloud Admin account in keystone

If a user has an 'admin' role and access to the Cloud Admin domain then they are considered to be a Cloud Admin. One way to enable this account to grant your admin user access to the 'default' domain.

  • Dig the admin token out of keystone.conf
 grep -i 'admin_token' /etc/keystone/keystone.conf
  • Grant the admin access to the cloud admin domain
 curl -s -H "X-Auth-Token: <ADMIN_TOKEN>" -X PUT http://127.0.0.1:5000/v3/domains/default/users/<ADMIN_ID>/roles/<ADMIN_ROLE_ID>

Note: If you are having trouble finding the ADMIN_ID, you can find it with this command: 

 mysql -D keystone -e 'select id from user where name = "admin";'

Note: If you are having trouble finding the ADMIN_ROLE_ID, you can find it with this command: 

 mysql -D keystone -e 'select id from role where name = "admin";'

keystone policy.json file

You can start testing with the default /etc/keystone/policy.json file but at some point you will want to switch in the following file: https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json

Change the following line in the policy.v3cloudsample.json and swap it with the /etc/keystone/policy.json Remember: He who laughs last had a backup!

old: 

... 
"cloud_admin": "rule:admin_required and domain_id:admin_domain_id",
...

new: 

...
# use 'default' or whatever your cloud admin domain id is 
"cloud_admin": "rule:admin_required and domain_id:default",
...

memcached

  • Memcached should be installed and running (perhaps on the same host as horizon to keep things simple)
  • The memcached client library needs to be installed in horizon's venv (python-memcached==1.53)
  • Horizon needs to be configured to use memcached

local_settings.py 

...
# We recommend you use memcached for development; otherwise after every reload
# of the django development server, you will have to login again. To use
# memcached set CACHES to something like
CACHES = {
   'default': {
       'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
       'LOCATION': '127.0.0.1:11211',
   }
}
SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
...

keystone v3

Horizon needs to be configured to use keystone v3 and multi domain support

Copy the keystone devstack's policy file: /etc/keyston/policy.json into your horizon directory: horizon/openstack_dashboard/conf/keystone_policy.v3cloudsample.json

Determine the default role name: 

 mysql -D keystone -e 'select name from role where name like "%ember";'

In my case it has changed from "_member_" to "Member".


local_settings.py 

...
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "Member"
...
OPENSTACK_API_VERSIONS = { "identity": 3, }
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True 
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'default'
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
...
POLICY_FILES = {
#'identity': 'keystone_policy.json',
'identity': 'keystone_policy.v3cloudsample.json',
...

django-openstack-auth

You'll need to pull down this patch to be able to retrieve a domain scoped token from the http session. https://review.openstack.org/#/c/141153/

horizon

You'll need to pull down this patch in your horizon repo for horizon to understand multi-domain setups. https://review.openstack.org/#/c/148082/

keystone

Allows a Domain Admin to list role assignments without a project token https://review.openstack.org/#/c/180846/

keystone client

Allows a Domain Admin to list role assignments without a project token https://review.openstack.org/#/c/188184/

Users

This page only considers three users 

TODO(esp): Add use cases for Cloud Admin and Domain Admin
  • Cloud Admin
  • Domain Admin
  • User (_member_ role)

Set up the cloud admin user

  • Convert the admin user to be a Cloud Admin
 curl -s -H "X-Auth-Token: <ADMN_TOKEN>" -X PUT http://127.0.0.1:5000/v3/domains/<DEFAULT DOMAIN>/users/<ADMIN USER ID>/roles/<ADMIN ROLE ID>

Workflow 1. Cloud Admin sets a Domain Context

Switch-domain-workflow-1.png

Cloud Admin Logs in

1. Log In.png

Cloud Admin navigates to the Identity Dashboard and Domain panel

2. Identity-Domains.png

Cloud Admin switches Domain context

3. Set Domain Context.png

Retrieved from "https://wiki.openstack.org/w/index.php?title=Horizon/DomainWorkFlow&oldid=85990"