默认情况下,Horizon是不支持对multi-domain的支持的,用户需要做一些特殊的设置后,方可使用这一功能。
domain,project,role,assignment的数据准备不做介绍,数据准备好之后,修改horizon下identity相关的配置即可。
设置如下:
1. 设置identity认证方式:
# ./openstack_dashboard/local/local_settings.py
# use of the decimal point, so valid options would be 2.0 or 3.
OPENSTACK_API_VERSIONS = {
# "data-processing": 1.1,
"identity": 3,
# "volume": 2,
}
# Set this to True if running on multi-domain model. When this is enabled, it
# will require user to enter the Domain name in addition to username for login.
#OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
# Overrides the default domain used when running on single-domain model
# with Keystone V3. All entities will be created in the default domain.
#OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default'
OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'admin_domain'
#OPENSTACK_KEYSTONE_URL="http://10.239.159.101:5000/v2.0"
OPENSTACK_KEYSTONE_URL="http://10.239.159.101:5000/v3"
参考: https://blueprints.launchpad.net/horizon/+spec/login-domain-support
2. 设置新的policy文件
# openstack_dashboard/conf/keystone_policy.json,注意这里的domain_id
{
"admin_required": "role:admin",
"cloud_admin": "rule:admin_required and domain_id:b792bb2101254aaebd11694cc99c89be",
"service_role": "role:service",
"service_or_admin": "rule:admin_required or rule:service_role",
"owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s",
"admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner",
"admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin",
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
"service_admin_or_owner": "rule:service_or_admin or rule:owner",
...
}
略。
4. 重启apache2服务
$ sudo apache2ctl restart
@TODO: 设置结束之后,无论通过CLI还是通过界面都有出现,无法列用户,以及组信息的错误,需要对其权限进行验证。