I am presently prototyping an OpenStack setup (IceHouse RDO) using multiple domains to organize groups of users/projects (in the future, hopefully Juno, we would like to move to [domain-specific backends][1]http://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers to support multiple LDAP auth backends).
Following [this guide][1]http://www.florentflament.com/blog/setting-keystone-v3-domains.html verbatim I have enabled multiple domains using curl. At the end of this there is a new cloud_admin user, two domains adm1 and adm2, along with single users and projects usr1, usr2 and prj1, prj2 respectively.
I'm currently running Horizon from the git repo, and I've enabled multi-domains:
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_API_VERSIONS = {
"data_processing": 1.1,
"identity": 3,
"volume": 2
}
OPENSTACK_KEYSTONE_URL = "http://%s:5000/v3" % OPENSTACK_HOST
My dashboard now requests a domain in addition to the user / password.
If I log in as usr1 on dom1, it gets me in. However, there are auth problems whenever horizon tries to query the various services under the hood.
For example, it initially takes you to the "Overview" window, and it give me a message "Error: Unauthorized: Unable to retrieve usage information".
In the web server log, I see things like (x's added by me):
Login successful for user "usr1".
DeprecationWarning: check_for_test_cookie is deprecated; ensure your login view is CSRF-protected.
WARNING:py.warnings:DeprecationWarning: check_for_test_cookie is deprecated; ensure your login view is CSRF-protected.
[20/Aug/2014 20:03:58] "POST /auth/login/ HTTP/1.1" 302 0
[20/Aug/2014 20:03:58] "GET / HTTP/1.1" 302 0
novaclient connection created using token "xxxxx" and url "http://x.x.x.x:8774/v2/xxxxx"
REQ: curl -i 'http://x.x.x.x:8774/v2/xxxxx/extensions' -X GET -H "Accept: application/json" -H "User-Agent: python-novaclient" -H "X-Auth-Project-Id: xxxxx" -H "X-Auth-Token: {SHA1}xxxxx"
RESP: [401] {'date': 'Wed, 20 Aug 2014 20:04:26 GMT', 'content-length': '23', 'content-type': 'text/plain', 'www-authenticate': "Keystone uri='http://x.x.x.x:5000/'"}
RESP BODY: Authentication required
This all worked better when I was using single-domain (v2 keystone API).
It looks to me like it's incorrectly generating tokens and/or trying to use the v2 auth API. Is there some other basic thing I'm forgetting to set up server-side? (maybe something in keystone.conf). It seems like other people out there have at least been able to get a decent dashboard experience for regular users, even though Horizon doesn't currently seem to support domain admin tasks,
