If you're using oslo.policy (this is in Kilo and newer) then you shouldn't have to restart Keystone for the changes to policy.json to take affect, but it doesn't hurt.
I suggest looking to make sure the role 'project_admin' was actually assigned to the user in that project. You can use the command `keystone user-role-list` for that. Thanks, Steve Martinelli OpenStack Keystone Core From: Jonathan Proulx <[email protected]> To: "[email protected]" <[email protected]> Date: 2015/08/24 03:46 PM Subject: [Openstack] Keystone policy to allow project_admins to add (existing) users to their projects HI, I want to create a 'project_admin' role with the ability to add and remove existing users from the project in which one has this role. But it's not working as I thought. Here's what I tried in policy.json (note #comments are not in the json file): # set up the rules "project_admin": "project_id:%(project_id)s and role:project_admin", "admin_or_proj_admin": "rule:admin_required or rule:admin_or_proj_admin", # grant role to some things that were previously rule:admin_required "identity:get_project": "rule:admin_or_proj_admin", "identity:update_project": "rule:admin_or_proj_admin", "identity:get_user": "rule:admin_or_proj_admin", "identity:get_role": "rule:admin_or_proj_admin", "identity:create_grant": "rule:admin_or_proj_admin", "identity:revoke_grant": "rule:admin_or_proj_admin", "identity:list_role_assignments": "rule:admin_or_proj_admin", I'd started off with a smaller set (just the create_grant and revoke_grant) but added more access due to failures, but still not working. what I did: restarted keystone after editing policy.json (is this required?) # as admin user keystone user-role-add --user jon --role project_admin --tenant test-group # as user 'jon' keystone --debug --os-tenant-name test-group user-role-add --user jon-test --role _member_ --tenant test-group DEBUG:keystoneclient.auth.identity.v2:Making authentication request to https://keystone:5001/v2.0/tokens INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone DEBUG:urllib3.connectionpool:Setting read timeout to 600.0 DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 4915 DEBUG:keystoneclient.session:REQ: curl -i -X GET https://keystone:35358/v2.0/users/jon-test -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: <redacted>" INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone DEBUG:urllib3.connectionpool:Setting read timeout to 600.0 DEBUG:urllib3.connectionpool:"GET /v2.0/users/jon-test HTTP/1.1" 403 131 DEBUG:keystoneclient.session:RESP: DEBUG:keystoneclient.session:Request returned failure status: 403 You are not authorized to perform the requested action: admin_required (HTTP 403) am I tweaking the wrong rules or is something deeper in my way? Thanks, -Jon _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
