默认情况下,Horizon是不支持对multi-domain的支持的,用户需要做一些特殊的设置后,方可使用这一功能。
domain,project,role,assignment的数据准备不做介绍,数据准备好之后,修改horizon下identity相关的配置即可。
设置如下:
1. 设置identity认证方式:
# ./openstack_dashboard/local/local_settings.py
# use of the decimal point, so valid options would be 2.0 or 3. OPENSTACK_API_VERSIONS = { # "data-processing": 1.1, "identity": 3, # "volume": 2, } # Set this to True if running on multi-domain model. When this is enabled, it # will require user to enter the Domain name in addition to username for login. #OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = False OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True # Overrides the default domain used when running on single-domain model # with Keystone V3. All entities will be created in the default domain. #OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'Default' OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = 'admin_domain' #OPENSTACK_KEYSTONE_URL="http://10.239.159.101:5000/v2.0" OPENSTACK_KEYSTONE_URL="http://10.239.159.101:5000/v3"
参考: https://blueprints.launchpad.net/horizon/+spec/login-domain-support
2. 设置新的policy文件
# openstack_dashboard/conf/keystone_policy.json,注意这里的domain_id
{ "admin_required": "role:admin", "cloud_admin": "rule:admin_required and domain_id:b792bb2101254aaebd11694cc99c89be", "service_role": "role:service", "service_or_admin": "rule:admin_required or rule:service_role", "owner" : "user_id:%(user_id)s or user_id:%(target.token.user_id)s", "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner", "admin_or_cloud_admin": "rule:admin_required or rule:cloud_admin", "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", "service_admin_or_owner": "rule:service_or_admin or rule:owner", ... }
略。
4. 重启apache2服务
$ sudo apache2ctl restart
@TODO: 设置结束之后,无论通过CLI还是通过界面都有出现,无法列用户,以及组信息的错误,需要对其权限进行验证。