I have set up my openstack environment with V3 Keystone domains enabled after reading a few blogs (notably this one: http://www.florentflament.com/blog/setting-keystone-v3-domains.html). I am not able to get the list of projects in a given domain when querying as the domain admin. Below are the steps I followed: 1. I created an admin domain and added the ID of the domain to my new policy.json file (which is a copy of the latest policy.v3cloudsample.json): "admin_required": "role:admin", "cloud_admin": "rule:admin_required and domain_id:43eebba390b64b86ad073f690f76ee7f", "service_role": "role:service",.... 2. Restarted keystone. 3. I went ahead and created a new domain: dom1. A new user (admin1) for that domain and assigned admin role to that user. admin1 is now supposed to be the domain admin for dom1. I logged in as admin1 with scope set to domain id of dom1 and have a valid token as well. The body of the post request was as follows: { "auth": { "identity": { "methods": [ "password" ], "password": { "user": { "domain": { "id": "6a530272037f4672b41e5be12b2d1670" }, "name": "admin1", "password": "admin123" } } }, "scope": { "domain": { "id": "6a530272037f4672b41e5be12b2d1670" } } }} 4. I then created two projects in the domain dom1. 5. Now when I try to get a list of all the projects in that domain using HTTP GET /keystone/v3/projects API call (and passing the admin1 login token) I get a 403 error with the following response: { - "error": { - "code": 403, - "message": "You are not authorized to perform the requested action: identity:list_projects", - "title": "Forbidden" } }
What am I missing? Would really appreciate any pointers... Regards,-Deep.
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
