| 2014-09-18 15:13:18 |
Dmitry Nikishov |
description |
I'm making customizations of MOS 5.1 for a certain client, and one of their requests was to use Active Directory as Keystone's backend. The AD is read only.
They don't use default 'admin' role. The define their own name for the admin role (lets say 'customadmin').
After the modification of policy.json for all the services, CLI works fine. However, Horizon does not recognize 'customadmin' as admin.
Once user with role 'customadmin' authenticates, admin tab is missing. This issue is caused by hardcoded "openstack.roles.admin" permission in Horizon's code. It can be fixed by the following command:
grep -Irl "openstack.roles.admin" /usr/share/openstack-dashboard/openstack_dashboard/ | xargs sed -i 's/openstack.roles.admin/openstack.roles.customadmin/g' && service apache2 restart
(See https://bugs.launchpad.net/horizon/+bug/1161144)
Once this command is executed, admin panel appears, though the user can't access any of it's entries (volumes, instances and so on). Horizon displays error message that says: "You do not have permission to access the resource".
Other cloud with all the same configuration except that it uses default 'admin' role name for the admin role, works like a charm.
Update: after a deep dive into horizon's code, I have a hack that allows to access these pages:
remove "admin=True" in the tenant_list() here:
https://github.com/openstack/horizon/blob/stable/icehouse/openstack_dashboard/api/keystone.py#L257
But I'm sure, it can be solved a better way. |
I'm making customizations of MOS 5.1 for a certain client, and one of their requests was to use Active Directory as Keystone's backend. The AD is read only.
They don't use default 'admin' role. They define their own name for the admin role (lets say 'customadmin').
After the modification of policy.json for all the services, CLI works fine. However, Horizon does not recognize 'customadmin' as admin.
Once user with role 'customadmin' authenticates, admin tab is missing. This issue is caused by hardcoded "openstack.roles.admin" permission in Horizon's code. It can be fixed by the following command:
grep -Irl "openstack.roles.admin" /usr/share/openstack-dashboard/openstack_dashboard/ | xargs sed -i 's/openstack.roles.admin/openstack.roles.customadmin/g' && service apache2 restart
(See https://bugs.launchpad.net/horizon/+bug/1161144)
Once this command is executed, admin panel appears, though the user can't access any of it's entries (volumes, instances and so on). Horizon displays error message that says: "You do not have permission to access the resource".
Other cloud with all the same configuration except that it uses default 'admin' role name for the admin role, works like a charm.
Update: after a deep dive into horizon's code, I have a hack that allows to access these pages:
remove "admin=True" in the tenant_list() here:
https://github.com/openstack/horizon/blob/stable/icehouse/openstack_dashboard/api/keystone.py#L257
But I'm sure, it can be solved a better way. |
|
