GET /projects?domain_id=<domain is for dom1> did the trick. Thanks so much,
Henry.
Regards,-Deep.
On Wednesday, February 18, 2015 5:20 AM, Henry Nash
<[email protected]> wrote:
Hi
So one thing to try is to pass the domain_id as a filter to list projects, I.e.:
GET /projects?domain_id=<domain is for dom1>
I thought that a domain scoped token would have been sufficient, but let's try
that. Could you also send me your policy file so I can check it?
Thanks
Henry
On 17 Feb 2015, at 23:29, Ratnadeep Bhattacharjee <[email protected]> wrote:
I have set up my openstack environment with V3 Keystone domains enabled after
reading a few blogs (notably this one:
http://www.florentflament.com/blog/setting-keystone-v3-domains.html). I am not
able to get the list of projects in a given domain when querying as the domain
admin. Below are the steps I followed:
1. I created an admin domain and added the ID of the domain to my new
policy.json file (which is a copy of the latest policy.v3cloudsample.json):
"admin_required": "role:admin", "cloud_admin": "rule:admin_required and
domain_id:43eebba390b64b86ad073f690f76ee7f", "service_role": "role:service",....
2. Restarted keystone.
3. I went ahead and created a new domain: dom1. A new user (admin1) for that
domain and assigned admin role to that user. admin1 is now supposed to be the
domain admin for dom1. I logged in as admin1 with scope set to domain id of
dom1 and have a valid token as well. The body of the post request was as
follows:
{ "auth": { "identity": { "methods": [
"password" ], "password": { "user": {
"domain": { "id":
"6a530272037f4672b41e5be12b2d1670" },
"name": "admin1", "password": "admin123" }
} }, "scope": { "domain": {
"id": "6a530272037f4672b41e5be12b2d1670" } } }}
4. I then created two projects in the domain dom1.
5. Now when I try to get a list of all the projects in that domain using HTTP
GET /keystone/v3/projects API call (and passing the admin1 login token) I get
a 403 error with the following response:
{
- "error": {
- "code": 403,
- "message": "You are not authorized to perform the requested action:
identity:list_projects",
- "title": "Forbidden"
}
}
What am I missing? Would really appreciate any pointers...
Regards,-Deep.
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
