Revision history [back]

By default, you need to be an admin in order to run this command. You can either use the ADMIN_TOKEN as you did or authenticate with keystone with the admin username/tenant/password.

From my devstack:

ubuntu@devstack:/opt/stack/keystone$ keystone --os-username=demo --os-tenant-name=demo --os-password=d user-list
You are not authorized to perform the requested action, admin_required. (HTTP 403)
ubuntu@devstack:/opt/stack/keystone$ keystone --os-username=admin --os-tenant-name=admin --os-password=d user-list
+----------------------------------+----------------------+---------+----------------------------------+
|                id                |         name         | enabled |              email               |
+----------------------------------+----------------------+---------+----------------------------------+
| 5b3aae966ee94c5c8d23825e55a429c9 | VPNaaSJSON-226252333 |   True  | VPNaaSJSON-928312134@example.com |
| 42a8a9caebff42019e34ffddf070dd04 |        admin         |   True  |        admin@example.com         |
| f9044c3388804c26ad14ed6206ac9e58 |       alt_demo       |   True  |       alt_demo@example.com       |
| 504e7d1fda744487844f162c355ee22d |        cinder        |   True  |        cinder@example.com        |
| d7bd8045433e49d4aefb0f293b17d067 |         demo         |   True  |         demo@example.com         |
| 4f3aa1ddb28d48fd8b371a35524a392e |        glance        |   True  |        glance@example.com        |
| f61019fc5d984f3a93506d625254d25c |     glance-swift     |   True  |     glance-swift@example.com     |
| 2f524de4fb584e269578ea76dd5d1168 |       neutron        |   True  |       neutron@example.com        |
| 1d4712a6668f456689c143699e52ef3f |         nova         |   True  |         nova@example.com         |
| 84f511f42e7b4b859c72837c6b204d97 |        swift         |   True  |        swift@example.com         |
| 14df1f91844c4b6e85fbad0abea2f1c5 |    swiftusertest1    |   True  |         test@example.com         |
| 20a622e5e95e4081a764ec7ad1c088e3 |    swiftusertest2    |   True  |        test2@example.com         |
| 81a98da4a04243fe8d3f1a3e2a35aa87 |    swiftusertest3    |   True  |        test3@example.com         |
+----------------------------------+----------------------+---------+----------------------------------+

You can set this policy by modifying the file etc/policy.json. From my devstack:

ubuntu@devstack:/opt/stack/keystone$ grep list_users etc/policy.json
"identity:list_users": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",

By default, you need to be an admin in order to run this command. You can either use the ADMIN_TOKEN as you did or authenticate with keystone with the admin username/tenant/password.

From my devstack:

ubuntu@devstack:/opt/stack/keystone$ keystone --os-username=demo --os-tenant-name=demo --os-password=d --os-password=password user-list
You are not authorized to perform the requested action, admin_required. (HTTP 403)
ubuntu@devstack:/opt/stack/keystone$ keystone --os-username=admin --os-tenant-name=admin --os-password=d --os-password=password user-list
+----------------------------------+----------------------+---------+----------------------------------+
|                id                |         name         | enabled |              email               |
+----------------------------------+----------------------+---------+----------------------------------+
| 5b3aae966ee94c5c8d23825e55a429c9 | VPNaaSJSON-226252333 |   True  | VPNaaSJSON-928312134@example.com |
| 42a8a9caebff42019e34ffddf070dd04 |        admin         |   True  |        admin@example.com         |
| f9044c3388804c26ad14ed6206ac9e58 |       alt_demo       |   True  |       alt_demo@example.com       |
| 504e7d1fda744487844f162c355ee22d |        cinder        |   True  |        cinder@example.com        |
| d7bd8045433e49d4aefb0f293b17d067 |         demo         |   True  |         demo@example.com         |
| 4f3aa1ddb28d48fd8b371a35524a392e |        glance        |   True  |        glance@example.com        |
| f61019fc5d984f3a93506d625254d25c |     glance-swift     |   True  |     glance-swift@example.com     |
| 2f524de4fb584e269578ea76dd5d1168 |       neutron        |   True  |       neutron@example.com        |
| 1d4712a6668f456689c143699e52ef3f |         nova         |   True  |         nova@example.com         |
| 84f511f42e7b4b859c72837c6b204d97 |        swift         |   True  |        swift@example.com         |
| 14df1f91844c4b6e85fbad0abea2f1c5 |    swiftusertest1    |   True  |         test@example.com         |
| 20a622e5e95e4081a764ec7ad1c088e3 |    swiftusertest2    |   True  |        test2@example.com         |
| 81a98da4a04243fe8d3f1a3e2a35aa87 |    swiftusertest3    |   True  |        test3@example.com         |
+----------------------------------+----------------------+---------+----------------------------------+

You can set this policy by modifying the file etc/policy.json. From my devstack:

ubuntu@devstack:/opt/stack/keystone$ grep list_users etc/policy.json
"identity:list_users": "rule:admin_required",
"identity:list_users_in_group": "rule:admin_required",