settingsLogin | Registersettings

[Openstack] [openstack] [Aodh] [devstack] aodh alarm_action URL is not available

0 votes

HI ALL,
I setup a openstack env by devstack and create a alarm by aodh
and give a URL to the alarm's . but when the alarm
is evaluated and its state is transited from "insufficient data"
to "alarm". I can not receive any message for the notification.

stack@zte:~$ aodh alarm update --alarm-action
http://192.168.122.165:8080/alarm/image
bd9e6d09-d13f-4d0f-a55e-a8602267cb01
+---------------------------+------------------------------------------------------+
| Field | Value |
+---------------------------+------------------------------------------------------+
| alarmactions | [u'http://192.168.122.165:8080/alarm/image']
|
| alarm
id | bd9e6d09-d13f-4d0f-a55e-a8602267cb01 |
| comparisonoperator | ge |
| description | Alarm when image.size is eq a avg of 60.0
over 60 |
| | seconds |
| enabled | True |
| evaluation
periods | 1 |
| excludeoutliers | False |
| insufficient
dataactions | [] |
| meter
name | image.size |
| name | thres-001 |
| okactions | [u'log:///opt/stack/logs/aodh-notifier.log']
|
| period | 30 |
| project
id | 52ec6af5bd0a47ba9fa675c88967758a |
| query | [] |
| repeatactions | False |
| severity | low |
| state | insufficient data |
| state
timestamp | 2016-05-29T06:50:25.232939 |
| statistic | max |
| threshold | 5000000.0 |
| timeconstraints | [] |
| timestamp | 2016-05-31T07:15:26.962639 |
| type | threshold |
| user
id | b7bfac62328445979e435e9d9946722b |
+---------------------------+------------------------------------------------------+

a sippet in aodh-evaluator.log:


2016-05-31 03:24:25.545 7887 DEBUG aodh.evaluator [-] evaluating alarm
bd9e6d09-d13f-4d0f-a55e-a8602267cb01 evaluatealarm
/opt/stack/aodh/aodh/evaluator/init.py:220
2016-05-31 03:24:25.546 7887 DEBUG aodh.evaluator.threshold [-] query
stats from 2016-05-31 07:23:25.546035 to 2016-05-31 07:24:25.546035
boundduration /opt/stack/aodh/aodh/evaluator/threshold.py:79
2016-05-31 03:24:25.546 7887 DEBUG aodh.evaluator.threshold [-] stats
query [{'field': 'timestamp', 'value': '2016-05-31T07:24:25.546035', 'op':
'le'}, {'field': 'timestamp', 'value': '2016-05-31T07:23:25.546035', 'op':
'ge'}] _statistics /opt/stack/aodh/aodh/evaluator/threshold.py:114
2016-05-31 03:24:25.896 7887 DEBUG aodh.evaluator.threshold [-] sanitize
stats [] _sanitize
/opt/stack/aodh/aodh/evaluator/threshold.py:85
2016-05-31 03:24:25.897 7887 DEBUG aodh.evaluator.threshold [-] pruned
statistics to 1 _sanitize /opt/stack/aodh/aodh/evaluator/threshold.py:105
2016-05-31 03:24:25.898 7887 DEBUG aodh.evaluator.threshold [-] comparing
value 25165824.0 against threshold 5000000.0 _compare
/opt/stack/aodh/aodh/evaluator/threshold.py:165

stack@zte:~$ aodh alarm show bd9e6d09-d13f-4d0f-a55e-a8602267cb01
+---------------------------+------------------------------------------------------+
| Field | Value |
+---------------------------+------------------------------------------------------+
| alarmactions | [u'http://192.168.122.165:8080/alarm/image']
|
| alarm
id | bd9e6d09-d13f-4d0f-a55e-a8602267cb01 |
| comparisonoperator | ge |
| description | Alarm when image.size is eq a avg of 60.0
over 60 |
| | seconds |
| enabled | True |
| evaluation
periods | 1 |
| excludeoutliers | False |
| insufficient
dataactions | [] |
| meter
name | image.size |
| name | thres-001 |
| okactions | [u'log:///opt/stack/logs/aodh-notifier.log']
|
| period | 30 |
| project
id | 52ec6af5bd0a47ba9fa675c88967758a |
| query | [] |
| repeatactions | False |
| severity | low |
| state | alarm |
| state
timestamp | 2016-05-29T06:50:25.232939 |
| statistic | max |
| threshold | 5000000.0 |
| timeconstraints | [] |
| timestamp | 2016-05-31T07:15:26.962639 |
| type | threshold |
| user
id | b7bfac62328445979e435e9d9946722b |
+---------------------------+------------------------------------------------------+

192.168.122.165 is my server host ip.

In the URL: http://192.168.122.165:8080/alarm/image, I receive no info.
Does something wrong with the URL? Or, need I add some other config in the
config file?

Rajen


ZTE Information Security Notice: The information contained in this mail (and any attachment transmitted herewith) is privileged and confidential and is intended for the exclusive use of the addressee(s). If you are not an intended recipient, any disclosure, reproduction, distribution or other dissemination or use of the information contained is strictly prohibited. If you have received this mail in error, please delete it and notify us immediately.

Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
asked May 31, 2016 in openstack by li.yuanzhen_at_zte.c (580 points)   2 2
retagged Jan 25, 2017 by admin

15 Responses

0 votes

Hi All
I setup the openstack Mitaka, and beside the "default" domain, I create another domain called "labA".
I login using labA domain.
My question are1. Can I create different users and assign to different domain from Horizon dashboard GUI? or do i have to do it from a command line?2. If I login as admin user under default domain, How can I see all the users with all different domain in horizon dashboard GUI?.
Thanks a lotwally _______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

responded May 31, 2016 by zhihao_wang (700 points)   1 1
0 votes
  1. Yes, you can create new users in the "labA" domain via Horizon. Log in as admin under the default domain, go to the Domains dashboard, and click the "Set Domain Context" button for the "labA" domain. Then when you go back to the create user workflow, the "labA" domain will be automatically filled in for the user.
  2. Go to the Domains tab, click the "Set Domain Context" button for the other domain, and go back to the Users dashboard.

If you later need to think about using a domain admin via Horizon, take a look at this blog post: http://www.symantec.com/connect/blogs/domain-support-horizon-here

Thanks,
Brad

From: zhihao wang wangzhihaocom@hotmail.com
Date: Tuesday, May 31, 2016 at 8:40 AM
To: "openstack@lists.openstack.org" openstack@lists.openstack.org
Subject: [Openstack] Openstack Mitaka Domain question

Hi All

I setup the openstack Mitaka, and beside the "default" domain, I create another domain called "labA".

I login using labA domain.

My question are
1. Can I create different users and assign to different domain from Horizon dashboard GUI? or do i have to do it from a command line?
2. If I login as admin user under default domain, How can I see all the users with all different domain in horizon dashboard GUI?
.

Thanks a lot
wally


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded May 31, 2016 by Brad_Pokorny (840 points)   1
0 votes

Hi,

I've managed to enable multi-domain support for my Mitaka environment,
but there are still some things to configure properly. I have two
questions regarding domains.

Log in as admin under the default domain, go to the Domains dashboard

  1. How can I enable the domain view in Horizon? I can't see that tab
    in the dashboard, I'm not sure where to look anymore.

  2. Has anyone a working separation of cloudadmin and domainadmin? I
    used the v3-policy file mentioned in the last response, changed the
    admindomainid to default as suggested, updated the keystone
    endpoints to v3, but now I can't execute some actions like list
    projects, list users etc. The logs say

    You are not authorized to perform the requested action:
    identity:list_domains

So I take a look into the policy.json:

 "cloud_admin": "rule:admin_required and domain_id:default",
 "identity:list_domains": "rule:cloud_admin"

As far as I understand, I assigend the domain "default" to
cloud_admin, so I assume that I should be able to list domains,
projects etc.
Until now I simply used the default config files for identity, can
anyone advise how to configure that file properly?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

  1. Yes, you can create new users in the "labA" domain via Horizon.
    Log in as admin under the default domain, go to the Domains
    dashboard, and click the "Set Domain Context" button for the "labA"
    domain. Then when you go back to the create user workflow, the
    "labA" domain will be automatically filled in for the user.
  2. Go to the Domains tab, click the "Set Domain Context" button for
    the other domain, and go back to the Users dashboard.

If you later need to think about using a domain admin via Horizon,
take a look at this blog post:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Thanks,
Brad

From: zhihao wang
wangzhihaocom@hotmail.com
Date: Tuesday, May 31, 2016 at 8:40 AM
To:
"openstack@lists.openstack.org"
openstack@lists.openstack.org
Subject: [Openstack] Openstack Mitaka Domain question

Hi All

I setup the openstack Mitaka, and beside the "default" domain, I
create another domain called "labA".

I login using labA domain.

My question are
1. Can I create different users and assign to different domain from
Horizon dashboard GUI? or do i have to do it from a command line?
2. If I login as admin user under default domain, How can I see all
the users with all different domain in horizon dashboard GUI?
.

Thanks a lot
wally

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

     Vorsitzende des Aufsichtsrates: Angelika Mozdzen
       Sitz und Registergericht: Hamburg, HRB 90934
               Vorstand: Jens-U. Mozdzen
                USt-IdNr. DE 814 013 983
responded Jun 9, 2016 by Eugen_Block (3,740 points)   2 2
0 votes

I added a "Common Issues" section to this blog post with some things I've
seen that have tripped people up:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Resolving those things should at least get the Domains dashboard to show
up in Horizon. If everything is properly set up, it will show up under the
Identity left nav.

That may also resolve your second issue with CLI commands. If not, it
could be that you're getting a project scoped token when you should be
getting a domain scoped token. Info on token scopes:
http://docs.openstack.org/admin-guide/keystone_tokens.html

Thanks,
Brad

On 6/9/16, 2:48 AM, "Eugen Block" eblock@nde.ag wrote:

Hi,

I've managed to enable multi-domain support for my Mitaka environment,
but there are still some things to configure properly. I have two
questions regarding domains.

Log in as admin under the default domain, go to the Domains dashboard

  1. How can I enable the domain view in Horizon? I can't see that tab
    in the dashboard, I'm not sure where to look anymore.

  2. Has anyone a working separation of cloudadmin and domainadmin? I
    used the v3-policy file mentioned in the last response, changed the
    admindomainid to default as suggested, updated the keystone
    endpoints to v3, but now I can't execute some actions like list
    projects, list users etc. The logs say

    You are not authorized to perform the requested action:
    identity:list_domains

So I take a look into the policy.json:

"cloud_admin": "rule:admin_required and domain_id:default",
"identity:list_domains": "rule:cloud_admin"

As far as I understand, I assigend the domain "default" to
cloud_admin, so I assume that I should be able to list domains,
projects etc.
Until now I simply used the default config files for identity, can
anyone advise how to configure that file properly?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

  1. Yes, you can create new users in the "labA" domain via Horizon.
    Log in as admin under the default domain, go to the Domains
    dashboard, and click the "Set Domain Context" button for the "labA"
    domain. Then when you go back to the create user workflow, the
    "labA" domain will be automatically filled in for the user.
  2. Go to the Domains tab, click the "Set Domain Context" button for
    the other domain, and go back to the Users dashboard.

If you later need to think about using a domain admin via Horizon,
take a look at this blog post:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Thanks,
Brad

From: zhihao wang
wangzhihaocom@hotmail.com
Date: Tuesday, May 31, 2016 at 8:40 AM
To:
"openstack@lists.openstack.org"
openstack@lists.openstack.org
Subject: [Openstack] Openstack Mitaka Domain question

Hi All

I setup the openstack Mitaka, and beside the "default" domain, I
create another domain called "labA".

I login using labA domain.

My question are
1. Can I create different users and assign to different domain from
Horizon dashboard GUI? or do i have to do it from a command line?
2. If I login as admin user under default domain, How can I see all
the users with all different domain in horizon dashboard GUI?
.

Thanks a lot
wally

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983


Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Jun 10, 2016 by Brad_Pokorny (840 points)   1
0 votes

Hi,

I added a "Common Issues" section to this blog post

I found one thing that I must have missed, the admin role on the
Default domain was not assigned to the admin user. But changing that
had no effect, I still can't see the domain dashboard nor can I
authenticate for any other service.

could be that you're getting a project scoped token when you should be
getting a domain scoped token

I'm not sure how to ensure which token I get. I unset all Openstack
related environment variables by logging out from my session, logged
back in and tried to execute "openstack user list" with all the
required credentials as command options, not in the environment
script, but still no successful authentication.

Is it relevant that I use fernet tokens? I upgraded from Liberty to
Mitaka and used UUID tokens before. But the cloud seems to work with
fernet... I would appreciate any other hint or idea to resolve this
issue.

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

I added a "Common Issues" section to this blog post with some things I've
seen that have tripped people up:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Resolving those things should at least get the Domains dashboard to show
up in Horizon. If everything is properly set up, it will show up under the
Identity left nav.

That may also resolve your second issue with CLI commands. If not, it
could be that you're getting a project scoped token when you should be
getting a domain scoped token. Info on token scopes:
http://docs.openstack.org/admin-guide/keystone_tokens.html

Thanks,
Brad

On 6/9/16, 2:48 AM, "Eugen Block" eblock@nde.ag wrote:

Hi,

I've managed to enable multi-domain support for my Mitaka environment,
but there are still some things to configure properly. I have two
questions regarding domains.

Log in as admin under the default domain, go to the Domains dashboard

  1. How can I enable the domain view in Horizon? I can't see that tab
    in the dashboard, I'm not sure where to look anymore.

  2. Has anyone a working separation of cloudadmin and domainadmin? I
    used the v3-policy file mentioned in the last response, changed the
    admindomainid to default as suggested, updated the keystone
    endpoints to v3, but now I can't execute some actions like list
    projects, list users etc. The logs say

    You are not authorized to perform the requested action:
    identity:list_domains

So I take a look into the policy.json:

"cloud_admin": "rule:admin_required and domain_id:default",
"identity:list_domains": "rule:cloud_admin"

As far as I understand, I assigend the domain "default" to
cloud_admin, so I assume that I should be able to list domains,
projects etc.
Until now I simply used the default config files for identity, can
anyone advise how to configure that file properly?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

  1. Yes, you can create new users in the "labA" domain via Horizon.
    Log in as admin under the default domain, go to the Domains
    dashboard, and click the "Set Domain Context" button for the "labA"
    domain. Then when you go back to the create user workflow, the
    "labA" domain will be automatically filled in for the user.
  2. Go to the Domains tab, click the "Set Domain Context" button for
    the other domain, and go back to the Users dashboard.

If you later need to think about using a domain admin via Horizon,
take a look at this blog post:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Thanks,
Brad

From: zhihao wang
wangzhihaocom@hotmail.com
Date: Tuesday, May 31, 2016 at 8:40 AM
To:
"openstack@lists.openstack.org"
openstack@lists.openstack.org
Subject: [Openstack] Openstack Mitaka Domain question

Hi All

I setup the openstack Mitaka, and beside the "default" domain, I
create another domain called "labA".

I login using labA domain.

My question are
1. Can I create different users and assign to different domain from
Horizon dashboard GUI? or do i have to do it from a command line?
2. If I login as admin user under default domain, How can I see all
the users with all different domain in horizon dashboard GUI?
.

Thanks a lot
wally

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983


Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

     Vorsitzende des Aufsichtsrates: Angelika Mozdzen
       Sitz und Registergericht: Hamburg, HRB 90934
               Vorstand: Jens-U. Mozdzen
                USt-IdNr. DE 814 013 983


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Jun 14, 2016 by Eugen_Block (3,740 points)   2 2
0 votes

Referring to the invisible domain field in the sidebar-accordion, I
tried to investigate Horizon with Firebug. If I get it right, the
identity panel is constructed in
/usr/lib/python2.7/site-packages/horizon/templates/horizon/_sidebar.html. But
only four panels are built, projects, users, groups and roles. How can
I find out why the domain panel is not built here?

I'm logged in as the cloud_admin, in the apache logs I don't see
permission errors or anything, so that shouldn't be an issue.

Here's some information on the dashboard version I'm using:

control1:/etc/keystone # rpm -qi openstack-dashboard-9.0.2~a0~dev6-1.1.noarch
Name : openstack-dashboard
Version : 9.0.2~a0~dev6
Release : 1.1
Architecture: noarch
Install Date: Fr 17 Jun 2016 16:08:08 CEST
Group : Development/Languages/Python
Size : 50738471
License : Apache-2.0
Signature : RSA/SHA256, Fr 17 Jun 2016 05:08:31 CEST, Key ID
893a90dad85f9316
Source RPM : openstack-dashboard-9.0.2~a0~dev6-1.1.src.rpm
Build Date : Fr 17 Jun 2016 05:07:19 CEST
Build Host : build33
Relocations : (not relocatable)
Vendor : obs://build.opensuse.org/Cloud:OpenStack
URL : http://wiki.openstack.org/OpenStackDashboard
Summary : OpenStack Dashboard (Horizon)

Any idea what goes wrong here?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

I added a "Common Issues" section to this blog post with some things I've
seen that have tripped people up:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Resolving those things should at least get the Domains dashboard to show
up in Horizon. If everything is properly set up, it will show up under the
Identity left nav.

That may also resolve your second issue with CLI commands. If not, it
could be that you're getting a project scoped token when you should be
getting a domain scoped token. Info on token scopes:
http://docs.openstack.org/admin-guide/keystone_tokens.html

Thanks,
Brad

On 6/9/16, 2:48 AM, "Eugen Block" eblock@nde.ag wrote:

Hi,

I've managed to enable multi-domain support for my Mitaka environment,
but there are still some things to configure properly. I have two
questions regarding domains.

Log in as admin under the default domain, go to the Domains dashboard

  1. How can I enable the domain view in Horizon? I can't see that tab
    in the dashboard, I'm not sure where to look anymore.

  2. Has anyone a working separation of cloudadmin and domainadmin? I
    used the v3-policy file mentioned in the last response, changed the
    admindomainid to default as suggested, updated the keystone
    endpoints to v3, but now I can't execute some actions like list
    projects, list users etc. The logs say

    You are not authorized to perform the requested action:
    identity:list_domains

So I take a look into the policy.json:

"cloud_admin": "rule:admin_required and domain_id:default",
"identity:list_domains": "rule:cloud_admin"

As far as I understand, I assigend the domain "default" to
cloud_admin, so I assume that I should be able to list domains,
projects etc.
Until now I simply used the default config files for identity, can
anyone advise how to configure that file properly?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

  1. Yes, you can create new users in the "labA" domain via Horizon.
    Log in as admin under the default domain, go to the Domains
    dashboard, and click the "Set Domain Context" button for the "labA"
    domain. Then when you go back to the create user workflow, the
    "labA" domain will be automatically filled in for the user.
  2. Go to the Domains tab, click the "Set Domain Context" button for
    the other domain, and go back to the Users dashboard.

If you later need to think about using a domain admin via Horizon,
take a look at this blog post:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Thanks,
Brad

From: zhihao wang
wangzhihaocom@hotmail.com
Date: Tuesday, May 31, 2016 at 8:40 AM
To:
"openstack@lists.openstack.org"
openstack@lists.openstack.org
Subject: [Openstack] Openstack Mitaka Domain question

Hi All

I setup the openstack Mitaka, and beside the "default" domain, I
create another domain called "labA".

I login using labA domain.

My question are
1. Can I create different users and assign to different domain from
Horizon dashboard GUI? or do i have to do it from a command line?
2. If I login as admin user under default domain, How can I see all
the users with all different domain in horizon dashboard GUI?
.

Thanks a lot
wally

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983


Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

     Vorsitzende des Aufsichtsrates: Angelika Mozdzen
       Sitz und Registergericht: Hamburg, HRB 90934
               Vorstand: Jens-U. Mozdzen
                USt-IdNr. DE 814 013 983


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Jun 20, 2016 by Eugen_Block (3,740 points)   2 2
0 votes

Could you attach copies of your Keystone policy.json file and your Horizon
keystone_policy.json file?

What method did you use to find out the ID of the domain named Default?

What method did you use to check whether the cloud_admin user has the
admin role on the Default domain?

Thanks,
Brad

On 6/20/16, 8:05 AM, "Eugen Block" eblock@nde.ag wrote:

Referring to the invisible domain field in the sidebar-accordion, I
tried to investigate Horizon with Firebug. If I get it right, the
identity panel is constructed in
/usr/lib/python2.7/site-packages/horizon/templates/horizon/_sidebar.html.
But
only four panels are built, projects, users, groups and roles. How can
I find out why the domain panel is not built here?

I'm logged in as the cloud_admin, in the apache logs I don't see
permission errors or anything, so that shouldn't be an issue.

Here's some information on the dashboard version I'm using:

control1:/etc/keystone # rpm -qi
openstack-dashboard-9.0.2~a0~dev6-1.1.noarch
Name : openstack-dashboard
Version : 9.0.2~a0~dev6
Release : 1.1
Architecture: noarch
Install Date: Fr 17 Jun 2016 16:08:08 CEST
Group : Development/Languages/Python
Size : 50738471
License : Apache-2.0
Signature : RSA/SHA256, Fr 17 Jun 2016 05:08:31 CEST, Key ID
893a90dad85f9316
Source RPM : openstack-dashboard-9.0.2~a0~dev6-1.1.src.rpm
Build Date : Fr 17 Jun 2016 05:07:19 CEST
Build Host : build33
Relocations : (not relocatable)
Vendor : obs://build.opensuse.org/Cloud:OpenStack
URL : http://wiki.openstack.org/OpenStackDashboard
Summary : OpenStack Dashboard (Horizon)

Any idea what goes wrong here?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

I added a "Common Issues" section to this blog post with some things
I've
seen that have tripped people up:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Resolving those things should at least get the Domains dashboard to show
up in Horizon. If everything is properly set up, it will show up under
the
Identity left nav.

That may also resolve your second issue with CLI commands. If not, it
could be that you're getting a project scoped token when you should be
getting a domain scoped token. Info on token scopes:
http://docs.openstack.org/admin-guide/keystone_tokens.html

Thanks,
Brad

On 6/9/16, 2:48 AM, "Eugen Block" eblock@nde.ag wrote:

Hi,

I've managed to enable multi-domain support for my Mitaka environment,
but there are still some things to configure properly. I have two
questions regarding domains.

Log in as admin under the default domain, go to the Domains dashboard

  1. How can I enable the domain view in Horizon? I can't see that tab
    in the dashboard, I'm not sure where to look anymore.

  2. Has anyone a working separation of cloudadmin and domainadmin? I
    used the v3-policy file mentioned in the last response, changed the
    admindomainid to default as suggested, updated the keystone
    endpoints to v3, but now I can't execute some actions like list
    projects, list users etc. The logs say

    You are not authorized to perform the requested action:
    identity:list_domains

So I take a look into the policy.json:

"cloud_admin": "rule:admin_required and domain_id:default",
"identity:list_domains": "rule:cloud_admin"

As far as I understand, I assigend the domain "default" to
cloud_admin, so I assume that I should be able to list domains,
projects etc.
Until now I simply used the default config files for identity, can
anyone advise how to configure that file properly?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

  1. Yes, you can create new users in the "labA" domain via Horizon.
    Log in as admin under the default domain, go to the Domains
    dashboard, and click the "Set Domain Context" button for the "labA"
    domain. Then when you go back to the create user workflow, the
    "labA" domain will be automatically filled in for the user.
  2. Go to the Domains tab, click the "Set Domain Context" button for
    the other domain, and go back to the Users dashboard.

If you later need to think about using a domain admin via Horizon,
take a look at this blog post:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Thanks,
Brad

From: zhihao wang
wangzhihaocom@hotmail.com
Date: Tuesday, May 31, 2016 at 8:40 AM
To:
"openstack@lists.openstack.org"
openstack@lists.openstack.org
Subject: [Openstack] Openstack Mitaka Domain question

Hi All

I setup the openstack Mitaka, and beside the "default" domain, I
create another domain called "labA".

I login using labA domain.

My question are
1. Can I create different users and assign to different domain from
Horizon dashboard GUI? or do i have to do it from a command line?
2. If I login as admin user under default domain, How can I see all
the users with all different domain in horizon dashboard GUI?
.

Thanks a lot
wally

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983


Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Jun 20, 2016 by Brad_Pokorny (840 points)   1
0 votes

Could you attach copies of your Keystone policy.json file and your Horizon
keystone_policy.json file?

I use the same file for both horizon and keystone, it's attached to
this email. Please note that I changed the cloudadmin rule to use the
user
id of my admin user because domain_id didn't work.

What method did you use to find out the ID of the domain named Default?

control1:/etc/keystone # openstack domain list
+----------------------------------+---------+---------+----------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+----------------+
| 696819fc8d8d40129ca3a7b54145ba9e | heat | True | Stack projects |
| d17c72d57ef344da922500b4f69de4b2 | users | True | |
| default | Default | True | |
+----------------------------------+---------+---------+----------------+

What method did you use to check whether the cloud_admin user has the
admin role on the Default domain?

I followed your link in your previous answer
http://www.symantec.com/connect/blogs/domain-support-horizon-here.
Here's the CLI output to show the role assignment:

control1:/etc/keystone # openstack role list | grep admin
| 465e2e9e201948668289ceb013277a50 | admin |

control1:/etc/keystone # openstack user list | grep admin
| 89c5dcc8793d4867bae22d50e51e16b3 | admin |

control1:/etc/keystone # openstack role assignment list | grep default
+----------------------------------+----------------------------------+------+---------+---------+-----------+
| Role | User
| Group| Project | Domain | Inherited |
+----------------------------------+----------------------------------+------+---------+---------+-----------+
| 465e2e9e201948668289ceb013277a50 | 89c5dcc8793d4867bae22d50e51e16b3
| | | default | False |
+----------------------------------+----------------------------------+------+---------+---------+-----------+

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

Could you attach copies of your Keystone policy.json file and your Horizon
keystone_policy.json file?

What method did you use to find out the ID of the domain named Default?

What method did you use to check whether the cloud_admin user has the
admin role on the Default domain?

Thanks,
Brad

On 6/20/16, 8:05 AM, "Eugen Block" eblock@nde.ag wrote:

Referring to the invisible domain field in the sidebar-accordion, I
tried to investigate Horizon with Firebug. If I get it right, the
identity panel is constructed in
/usr/lib/python2.7/site-packages/horizon/templates/horizon/_sidebar.html.
But
only four panels are built, projects, users, groups and roles. How can
I find out why the domain panel is not built here?

I'm logged in as the cloud_admin, in the apache logs I don't see
permission errors or anything, so that shouldn't be an issue.

Here's some information on the dashboard version I'm using:

control1:/etc/keystone # rpm -qi
openstack-dashboard-9.0.2~a0~dev6-1.1.noarch
Name : openstack-dashboard
Version : 9.0.2~a0~dev6
Release : 1.1
Architecture: noarch
Install Date: Fr 17 Jun 2016 16:08:08 CEST
Group : Development/Languages/Python
Size : 50738471
License : Apache-2.0
Signature : RSA/SHA256, Fr 17 Jun 2016 05:08:31 CEST, Key ID
893a90dad85f9316
Source RPM : openstack-dashboard-9.0.2~a0~dev6-1.1.src.rpm
Build Date : Fr 17 Jun 2016 05:07:19 CEST
Build Host : build33
Relocations : (not relocatable)
Vendor : obs://build.opensuse.org/Cloud:OpenStack
URL : http://wiki.openstack.org/OpenStackDashboard
Summary : OpenStack Dashboard (Horizon)

Any idea what goes wrong here?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

I added a "Common Issues" section to this blog post with some things
I've
seen that have tripped people up:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Resolving those things should at least get the Domains dashboard to show
up in Horizon. If everything is properly set up, it will show up under
the
Identity left nav.

That may also resolve your second issue with CLI commands. If not, it
could be that you're getting a project scoped token when you should be
getting a domain scoped token. Info on token scopes:
http://docs.openstack.org/admin-guide/keystone_tokens.html

Thanks,
Brad

On 6/9/16, 2:48 AM, "Eugen Block" eblock@nde.ag wrote:

Hi,

I've managed to enable multi-domain support for my Mitaka environment,
but there are still some things to configure properly. I have two
questions regarding domains.

Log in as admin under the default domain, go to the Domains dashboard

  1. How can I enable the domain view in Horizon? I can't see that tab
    in the dashboard, I'm not sure where to look anymore.

  2. Has anyone a working separation of cloudadmin and domainadmin? I
    used the v3-policy file mentioned in the last response, changed the
    admindomainid to default as suggested, updated the keystone
    endpoints to v3, but now I can't execute some actions like list
    projects, list users etc. The logs say

    You are not authorized to perform the requested action:
    identity:list_domains

So I take a look into the policy.json:

"cloud_admin": "rule:admin_required and domain_id:default",
"identity:list_domains": "rule:cloud_admin"

As far as I understand, I assigend the domain "default" to
cloud_admin, so I assume that I should be able to list domains,
projects etc.
Until now I simply used the default config files for identity, can
anyone advise how to configure that file properly?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

  1. Yes, you can create new users in the "labA" domain via Horizon.
    Log in as admin under the default domain, go to the Domains
    dashboard, and click the "Set Domain Context" button for the "labA"
    domain. Then when you go back to the create user workflow, the
    "labA" domain will be automatically filled in for the user.
  2. Go to the Domains tab, click the "Set Domain Context" button for
    the other domain, and go back to the Users dashboard.

If you later need to think about using a domain admin via Horizon,
take a look at this blog post:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Thanks,
Brad

From: zhihao wang
wangzhihaocom@hotmail.com
Date: Tuesday, May 31, 2016 at 8:40 AM
To:
"openstack@lists.openstack.org"
openstack@lists.openstack.org
Subject: [Openstack] Openstack Mitaka Domain question

Hi All

I setup the openstack Mitaka, and beside the "default" domain, I
create another domain called "labA".

I login using labA domain.

My question are
1. Can I create different users and assign to different domain from
Horizon dashboard GUI? or do i have to do it from a command line?
2. If I login as admin user under default domain, How can I see all
the users with all different domain in horizon dashboard GUI?
.

Thanks a lot
wally

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983


Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

     Vorsitzende des Aufsichtsrates: Angelika Mozdzen
       Sitz und Registergericht: Hamburg, HRB 90934
               Vorstand: Jens-U. Mozdzen
                USt-IdNr. DE 814 013 983


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

responded Jun 21, 2016 by Eugen_Block (3,740 points)   2 2
0 votes

When you said "I use the same file for both horizon and keystone", I'm
wondering if that means your Keystone policy file in Horizon is called
policy.json. By default, it will need to be called keystonepolicy.json.
And if you installed everything with devstack, it will need to be in
/opt/stack/horizon/openstack
dashboard/conf. Is that the case?

Also, could you attach your local_settings.py file from Horizon?

Thanks,
Brad

On 6/21/16, 12:01 AM, "Eugen Block" eblock@nde.ag wrote:

Could you attach copies of your Keystone policy.json file and your
Horizon
keystone_policy.json file?

I use the same file for both horizon and keystone, it's attached to
this email. Please note that I changed the cloudadmin rule to use the
user
id of my admin user because domain_id didn't work.

What method did you use to find out the ID of the domain named Default?

control1:/etc/keystone # openstack domain list
+----------------------------------+---------+---------+----------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+----------------+
| 696819fc8d8d40129ca3a7b54145ba9e | heat | True | Stack projects |
| d17c72d57ef344da922500b4f69de4b2 | users | True | |
| default | Default | True | |
+----------------------------------+---------+---------+----------------+

What method did you use to check whether the cloud_admin user has the
admin role on the Default domain?

I followed your link in your previous answer
http://www.symantec.com/connect/blogs/domain-support-horizon-here.
Here's the CLI output to show the role assignment:

control1:/etc/keystone # openstack role list | grep admin
| 465e2e9e201948668289ceb013277a50 | admin |

control1:/etc/keystone # openstack user list | grep admin
| 89c5dcc8793d4867bae22d50e51e16b3 | admin |

control1:/etc/keystone # openstack role assignment list | grep default
+----------------------------------+----------------------------------+---
---+---------+---------+-----------+
| Role | User
| Group| Project | Domain | Inherited |
+----------------------------------+----------------------------------+---
---+---------+---------+-----------+
| 465e2e9e201948668289ceb013277a50 | 89c5dcc8793d4867bae22d50e51e16b3
| | | default | False |
+----------------------------------+----------------------------------+---
---+---------+---------+-----------+

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

Could you attach copies of your Keystone policy.json file and your
Horizon
keystone_policy.json file?

What method did you use to find out the ID of the domain named Default?

What method did you use to check whether the cloud_admin user has the
admin role on the Default domain?

Thanks,
Brad

On 6/20/16, 8:05 AM, "Eugen Block" eblock@nde.ag wrote:

Referring to the invisible domain field in the sidebar-accordion, I
tried to investigate Horizon with Firebug. If I get it right, the
identity panel is constructed in

/usr/lib/python2.7/site-packages/horizon/templates/horizon/_sidebar.html
.
But
only four panels are built, projects, users, groups and roles. How can
I find out why the domain panel is not built here?

I'm logged in as the cloud_admin, in the apache logs I don't see
permission errors or anything, so that shouldn't be an issue.

Here's some information on the dashboard version I'm using:

control1:/etc/keystone # rpm -qi
openstack-dashboard-9.0.2~a0~dev6-1.1.noarch
Name : openstack-dashboard
Version : 9.0.2~a0~dev6
Release : 1.1
Architecture: noarch
Install Date: Fr 17 Jun 2016 16:08:08 CEST
Group : Development/Languages/Python
Size : 50738471
License : Apache-2.0
Signature : RSA/SHA256, Fr 17 Jun 2016 05:08:31 CEST, Key ID
893a90dad85f9316
Source RPM : openstack-dashboard-9.0.2~a0~dev6-1.1.src.rpm
Build Date : Fr 17 Jun 2016 05:07:19 CEST
Build Host : build33
Relocations : (not relocatable)
Vendor : obs://build.opensuse.org/Cloud:OpenStack
URL : http://wiki.openstack.org/OpenStackDashboard
Summary : OpenStack Dashboard (Horizon)

Any idea what goes wrong here?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

I added a "Common Issues" section to this blog post with some things
I've
seen that have tripped people up:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Resolving those things should at least get the Domains dashboard to
show
up in Horizon. If everything is properly set up, it will show up under
the
Identity left nav.

That may also resolve your second issue with CLI commands. If not, it
could be that you're getting a project scoped token when you should be
getting a domain scoped token. Info on token scopes:
http://docs.openstack.org/admin-guide/keystone_tokens.html

Thanks,
Brad

On 6/9/16, 2:48 AM, "Eugen Block" eblock@nde.ag wrote:

Hi,

I've managed to enable multi-domain support for my Mitaka
environment,
but there are still some things to configure properly. I have two
questions regarding domains.

Log in as admin under the default domain, go to the Domains
dashboard

  1. How can I enable the domain view in Horizon? I can't see that tab
    in the dashboard, I'm not sure where to look anymore.

  2. Has anyone a working separation of cloudadmin and domainadmin? I
    used the v3-policy file mentioned in the last response, changed the
    admindomainid to default as suggested, updated the keystone
    endpoints to v3, but now I can't execute some actions like list
    projects, list users etc. The logs say

    You are not authorized to perform the requested action:
    identity:list_domains

So I take a look into the policy.json:

"cloud_admin": "rule:admin_required and domain_id:default",
"identity:list_domains": "rule:cloud_admin"

As far as I understand, I assigend the domain "default" to
cloud_admin, so I assume that I should be able to list domains,
projects etc.
Until now I simply used the default config files for identity, can
anyone advise how to configure that file properly?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

  1. Yes, you can create new users in the "labA" domain via Horizon.
    Log in as admin under the default domain, go to the Domains
    dashboard, and click the "Set Domain Context" button for the "labA"
    domain. Then when you go back to the create user workflow, the
    "labA" domain will be automatically filled in for the user.
  2. Go to the Domains tab, click the "Set Domain Context" button for
    the other domain, and go back to the Users dashboard.

If you later need to think about using a domain admin via Horizon,
take a look at this blog post:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Thanks,
Brad

From: zhihao wang
wangzhihaocom@hotmail.com
Date: Tuesday, May 31, 2016 at 8:40 AM
To:

"openstack@lists.openstack.org"

openstack@lists.openstack.org
Subject: [Openstack] Openstack Mitaka Domain question

Hi All

I setup the openstack Mitaka, and beside the "default" domain, I
create another domain called "labA".

I login using labA domain.

My question are
1. Can I create different users and assign to different domain from
Horizon dashboard GUI? or do i have to do it from a command line?
2. If I login as admin user under default domain, How can I see all
the users with all different domain in horizon dashboard GUI?
.

Thanks a lot
wally

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983


Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
responded Jun 21, 2016 by Brad_Pokorny (840 points)   1
0 votes

When you said "I use the same file for both horizon and keystone", I'm
wondering if that means your Keystone policy file in Horizon is called
policy.json. By default, it will need to be called keystone_policy.json.

Sorry for my misleading answer, the files have different names, but
the content is the same.

control1:~ # ll
/srv/www/openstack-dashboard/openstackdashboard/conf/keystonepolicy.json
-rw-r--r-- 1 root root 6430 17. Jun 00:27
/srv/www/openstack-dashboard/openstackdashboard/conf/keystonepolicy.json

control1:~ # ll /etc/keystone/policy.json
-rw-r--r-- 1 root root 13885 13. Jun 09:59 /etc/keystone/policy.json

And if you installed everything with devstack

I did not install it with devstack, I followed this guide:
http://docs.openstack.org/mitaka/install-guide-obs/

The local_settings.py is attached to this email.

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

When you said "I use the same file for both horizon and keystone", I'm
wondering if that means your Keystone policy file in Horizon is called
policy.json. By default, it will need to be called keystonepolicy.json.
And if you installed everything with devstack, it will need to be in
/opt/stack/horizon/openstack
dashboard/conf. Is that the case?

Also, could you attach your local_settings.py file from Horizon?

Thanks,
Brad

On 6/21/16, 12:01 AM, "Eugen Block" eblock@nde.ag wrote:

Could you attach copies of your Keystone policy.json file and your
Horizon
keystone_policy.json file?

I use the same file for both horizon and keystone, it's attached to
this email. Please note that I changed the cloudadmin rule to use the
user
id of my admin user because domain_id didn't work.

What method did you use to find out the ID of the domain named Default?

control1:/etc/keystone # openstack domain list
+----------------------------------+---------+---------+----------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+----------------+
| 696819fc8d8d40129ca3a7b54145ba9e | heat | True | Stack projects |
| d17c72d57ef344da922500b4f69de4b2 | users | True | |
| default | Default | True | |
+----------------------------------+---------+---------+----------------+

What method did you use to check whether the cloud_admin user has the
admin role on the Default domain?

I followed your link in your previous answer
http://www.symantec.com/connect/blogs/domain-support-horizon-here.
Here's the CLI output to show the role assignment:

control1:/etc/keystone # openstack role list | grep admin
| 465e2e9e201948668289ceb013277a50 | admin |

control1:/etc/keystone # openstack user list | grep admin
| 89c5dcc8793d4867bae22d50e51e16b3 | admin |

control1:/etc/keystone # openstack role assignment list | grep default
+----------------------------------+----------------------------------+---
---+---------+---------+-----------+
| Role | User
| Group| Project | Domain | Inherited |
+----------------------------------+----------------------------------+---
---+---------+---------+-----------+
| 465e2e9e201948668289ceb013277a50 | 89c5dcc8793d4867bae22d50e51e16b3
| | | default | False |
+----------------------------------+----------------------------------+---
---+---------+---------+-----------+

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

Could you attach copies of your Keystone policy.json file and your
Horizon
keystone_policy.json file?

What method did you use to find out the ID of the domain named Default?

What method did you use to check whether the cloud_admin user has the
admin role on the Default domain?

Thanks,
Brad

On 6/20/16, 8:05 AM, "Eugen Block" eblock@nde.ag wrote:

Referring to the invisible domain field in the sidebar-accordion, I
tried to investigate Horizon with Firebug. If I get it right, the
identity panel is constructed in

/usr/lib/python2.7/site-packages/horizon/templates/horizon/_sidebar.html
.
But
only four panels are built, projects, users, groups and roles. How can
I find out why the domain panel is not built here?

I'm logged in as the cloud_admin, in the apache logs I don't see
permission errors or anything, so that shouldn't be an issue.

Here's some information on the dashboard version I'm using:

control1:/etc/keystone # rpm -qi
openstack-dashboard-9.0.2~a0~dev6-1.1.noarch
Name : openstack-dashboard
Version : 9.0.2~a0~dev6
Release : 1.1
Architecture: noarch
Install Date: Fr 17 Jun 2016 16:08:08 CEST
Group : Development/Languages/Python
Size : 50738471
License : Apache-2.0
Signature : RSA/SHA256, Fr 17 Jun 2016 05:08:31 CEST, Key ID
893a90dad85f9316
Source RPM : openstack-dashboard-9.0.2~a0~dev6-1.1.src.rpm
Build Date : Fr 17 Jun 2016 05:07:19 CEST
Build Host : build33
Relocations : (not relocatable)
Vendor : obs://build.opensuse.org/Cloud:OpenStack
URL : http://wiki.openstack.org/OpenStackDashboard
Summary : OpenStack Dashboard (Horizon)

Any idea what goes wrong here?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

I added a "Common Issues" section to this blog post with some things
I've
seen that have tripped people up:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Resolving those things should at least get the Domains dashboard to
show
up in Horizon. If everything is properly set up, it will show up under
the
Identity left nav.

That may also resolve your second issue with CLI commands. If not, it
could be that you're getting a project scoped token when you should be
getting a domain scoped token. Info on token scopes:
http://docs.openstack.org/admin-guide/keystone_tokens.html

Thanks,
Brad

On 6/9/16, 2:48 AM, "Eugen Block" eblock@nde.ag wrote:

Hi,

I've managed to enable multi-domain support for my Mitaka
environment,
but there are still some things to configure properly. I have two
questions regarding domains.

Log in as admin under the default domain, go to the Domains
dashboard

  1. How can I enable the domain view in Horizon? I can't see that tab
    in the dashboard, I'm not sure where to look anymore.

  2. Has anyone a working separation of cloudadmin and domainadmin? I
    used the v3-policy file mentioned in the last response, changed the
    admindomainid to default as suggested, updated the keystone
    endpoints to v3, but now I can't execute some actions like list
    projects, list users etc. The logs say

    You are not authorized to perform the requested action:
    identity:list_domains

So I take a look into the policy.json:

"cloud_admin": "rule:admin_required and domain_id:default",
"identity:list_domains": "rule:cloud_admin"

As far as I understand, I assigend the domain "default" to
cloud_admin, so I assume that I should be able to list domains,
projects etc.
Until now I simply used the default config files for identity, can
anyone advise how to configure that file properly?

Regards,
Eugen

Zitat von Brad Pokorny Brad_Pokorny@symantec.com:

  1. Yes, you can create new users in the "labA" domain via Horizon.
    Log in as admin under the default domain, go to the Domains
    dashboard, and click the "Set Domain Context" button for the "labA"
    domain. Then when you go back to the create user workflow, the
    "labA" domain will be automatically filled in for the user.
  2. Go to the Domains tab, click the "Set Domain Context" button for
    the other domain, and go back to the Users dashboard.

If you later need to think about using a domain admin via Horizon,
take a look at this blog post:
http://www.symantec.com/connect/blogs/domain-support-horizon-here

Thanks,
Brad

From: zhihao wang
wangzhihaocom@hotmail.com
Date: Tuesday, May 31, 2016 at 8:40 AM
To:

"openstack@lists.openstack.org"

openstack@lists.openstack.org
Subject: [Openstack] Openstack Mitaka Domain question

Hi All

I setup the openstack Mitaka, and beside the "default" domain, I
create another domain called "labA".

I login using labA domain.

My question are
1. Can I create different users and assign to different domain from
Horizon dashboard GUI? or do i have to do it from a command line?
2. If I login as admin user under default domain, How can I see all
the users with all different domain in horizon dashboard GUI?
.

Thanks a lot
wally

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983


Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

    Vorsitzende des Aufsichtsrates: Angelika Mozdzen
      Sitz und Registergericht: Hamburg, HRB 90934
              Vorstand: Jens-U. Mozdzen
               USt-IdNr. DE 814 013 983

--
Eugen Block voice : +49-40-559 51 75
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77
Postfach 61 03 15
D-22423 Hamburg e-mail : eblock@nde.ag

     Vorsitzende des Aufsichtsrates: Angelika Mozdzen
       Sitz und Registergericht: Hamburg, HRB 90934
               Vorstand: Jens-U. Mozdzen
                USt-IdNr. DE 814 013 983


Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

responded Jun 22, 2016 by Eugen_Block (3,740 points)   2 2
...