You have been subscribed to a public bug: In my case:
I changed identity api to v3 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 Create domain_admin openstack domain create domain1 openstack user create domain1_admin --domain domain1 --password xxxx openstack project create domain1_admin --domain domain1 openstack role add --user domain1_admin --domain domain1 admin openstack role add --user domain1_admin --project domain1_admin admin And changed policy file to policy.v3cloudsample.json https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json cp policy.v3cloudsample.json /etc/keystone/policy.json Use domain_admin to review project list openstack project list --domain domain1 You are not authorized to perform the requested action: identity:list_projects (HTTP 403) (Request-ID: req-e68fc8ab-c723-49ca-a9f4-cbfa4594f514) In debug mode: I found {"error": {"message": "You are not authorized to perform the requested action: identity:list_domains", "code": 403, "title": "Forbidden"}} so.. I modify policy "identity:list_domains": "rule:cloud_admin" >>> "identity:list_domains": "rule:admin_required" And it's worked. ** Affects: keystone Importance: Undecided Status: New ** Tags: keystoneclient policy -- domain admin policy fail in keystonclient https://bugs.launchpad.net/bugs/1553864 You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
