Hello,

I am struggling on this problem for 2 weeks. I am using updated Openstack Havana on Ubuntu 12.04 LTS. Dashboard and controller services are installed different servers. Controller server has keystone, nova etc services. Dashboard is installed standalone. I created a role "manager" on keystone, I added this role on policy.json file and give permission to manage groups (after some tests, I gave almost all identity permissions). In dashboard server, I wanted to create a group link on Project Dashboard. In order to see this link, I copied /usr/share/openstack-dashboard/openstack_dashboard/dashboards/admin/groups folder to /usr/share/openstack-dashboard/openstack_dashboard/dashboards/project/groups. I changed all links which defined for admin dashboard to project dashboard in groups folder files. I defined a new panel on Project Dashboard.py file. Now I can see Groups link on Project dashboard just below.In addition, I defined permission = ("openstack.role.manager") in newly created groups panel because I want to enable this link just for manager role.

My problem is that If user has an admin rights this groups link works ok. If I give a user to manager rights, Groups link can be seen in the first login, but when I click to the Groups link I have this error:

I tried to change keystone_policy.json on dashboard (same with keystone's policy.json). I tried to debug all logs but I cannot see any error on permission side. There is no error on Keystone server debug. I checked apache logs for dashboard error, but nothing wrong. Somehow dashboard do not allow manager role user to get in newly created groups page.

I have this logs on my apache2/error.log:

    [Fri Feb 14 08:39:36 2014] [error] REQ: curl -i -X POST http://controller:5000/v3/auth/tokens -H "Content-Type: application/json" -H "User-Agent: python-keystoneclient"
[Fri Feb 14 08:39:36 2014] [error] REQ BODY: {"auth": {"identity": {"methods": ["password"], "password": {"user": {"domain": {"name": "Default"}, "name": "manageruser", "password": "xxxxx"}}}}}
[Fri Feb 14 08:39:36 2014] [error]
[Fri Feb 14 08:39:36 2014] [error] INFO:urllib3.connectionpool:Starting new HTTP connection (1): controller
[Fri Feb 14 08:39:36 2014] [error] DEBUG:urllib3.connectionpool:"POST /v3/auth/tokens HTTP/1.1" 201 6525
[Fri Feb 14 08:39:36 2014] [error] RESP: [201] CaseInsensitiveDict({'x-subject-token': xxxxxxxxx
[Fri Feb 14 08:39:36 2014] [error] RESP BODY: {"token": {"methods": ["password"], "roles": [{"id": "01c89d36a1a9494fa6ed727811495622", "name": "manager"}], "expires_at": "2014-02-15T08:39:23.790554Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "bbdb7287964f4a26bc749d9ddecb4f55", "name": "testproject"}, "catalog": [{"endpoints": [{"url": "http://controller:5000/v2.0", "region": "regionOne", "legacy_endpoint_id": "fd13966eaa294b1595a18661c78c3de8", "interface": "public", "id": "26b339849c2a4e79b605a2f2d42c2d33"}, {"url": "http://controller:35357/v2.0", "region": "regionOne", "legacy_endpoint_id": "fd13966eaa294b1595a18661c78c3de8", "interface": "admin", "id": "7c530920742946a99cf2a71ad9503e7a"}, {"url": "http://controller:5000/v2.0", "region": "regionOne", "legacy_endpoint_id": "fd13966eaa294b1595a18661c78c3de8", "interface": "internal", "id": "c97bf6ff3d144bedb37825868e767596"}], "type": "identity", "id": "1778da57d7834612ae44f13d9c91ae55"}, {"endpoints": [{"url": "http://controller:8776/v2/bbdb7287964f4a26bc749d9ddecb4f55", "region": "regionOne", "legacy_endpoint_id": "de5975f4de414b718ede8a48ad4094d1", "interface": "admin", "id": "545990b1dc624d0e9e90ee95eb102518"}, {"url": "http://controller:8776/v2/bbdb7287964f4a26bc749d9ddecb4f55", "region": "regionOne", "legacy_endpoint_id": "de5975f4de414b718ede8a48ad4094d1", "interface": "public", "id": "b64a6400851b4ec1bd9c598336fad2a2 ...