If you use Keystone Domains in your cloud, chances are people have asked why Domain Admins can't manage projects under their domains via Horizon. Domain and project management in Horizon for Domain Admins will be available in the Mitaka release, and this post explains how to use it with a simple DevStack setup. This post assumes you already have working knowledge of Horizon and Keystone.
The main change needed in Horizon for this to work is https://review.openstack.org/#/c/148082/. There was significant support for Domain Scoped Tokens added to the Django OpenStack Auth (DOA) project as well, and those changes are in the latest DOA release.
Configure Keystone for v3
To begin with, you'll need Keystone set up for v3, meaning that you should be using a Keystone policy file based on the v3 sample policy file.
By default, DevStack sets up the Default domain as the Admin Domain, so you'll set domain_id:default here.
Configure Horizon for v3
In the local_settings.py file, set these values if they're not already set:
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'default' CACHES = { 'default': {'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache','LOCATION': '127.0.0.1:11211', }, } SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
And make sure OPENSTACK_KEYSTONE_URL is set to the v3 endpoint (it should have /v3 on the end).
Install memcached on the Horizon server. On Ubuntu systems, the command will be:
$ sudo apt-get install memcached
Install python-memcached if it's not already installed:
$ sudo pip install python-memcached
You'll need to also use a version of the v3 sample policy file from Keystone for the keystone_policy.json file Horizon uses. We've found that the stable/liberty policy file from Keystone works best in Horizon, as the current one on the master branch uses features that aren't entirely supported by the latest oslo.policy release. See bug 1547684 for details. Again, set domain_id:default here.
Restart Horizon and Keystone to pick up all the config changes.
Create a new domain and assign a Domain Admin
DevStack gives the admin user the admin role on the Default domain, so the admin user can now be used to create a new domain and Domain Admin user in that domain.
- Log into Horizon with the admin user
- Create a new Domain
- Click the Set Domain Context button to work with the new domain
- Create a new user in the domain. Note that the user will have no roles on any projects or domains to start with
- Navigate back to Domains and give the new user the admin role on the new domain
- Log out of Horizon and log back in as your Domain Admin
- Your Domain Admin can now create projects and users under the new domain
This functionality allows you, as a cloud administrator, to delegate project management to domain administrators via Horizon. Domain Admins from different domains will not be able to see or modify Keystone resources within other domains unless specifically given access to do so.
Current limitations
- Horizon doesn't currently support role assignments across domains, such as giving a user in domain1 access to domain2.
- Doesn't support Project Admins managing Keystone projects. In Horizon, project management works best when done by Domain Admins.
- Doesn't support hierarchical project management.
- If using PKI tokens, you'll see errors in the logs which don't affect functionality. See bug 1551977 for details.
Please let us know in the comments if any of these limitations are important to you! We prioritize development based on what makes the biggest impact for users.