How to list users via Python API as domain admin

asked 2019-08-30 14:16:41 -0600

Josh Fuhs gravatar image

updated 2019-08-30 15:14:55 -0600

I'm running OpenStack stein installed via conjure-up on a virtual MAAS cluster.

When I connect to OpenStack via the Python API as a domain administrator, I'm unable to list users in the domain with the following:

keystone = keystoneclient.client.Client( "3.0", session )

domain_users = keystone.users.list( domain=admin_domain )

This results in:

keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_users. (HTTP 403)

As a system admin, the domain admin was created with:

session = # Standard session setup
new_user_domain = "<choose-your-domain>"
new_username = "<choose-your-username>"
new_password = "<choose-your-password>"

keystone = keystoneclient.client.Client( "3.0", session )

# Convert domain name to domain ID
new_user_domain_id = name=new_user_domain )[0].id

admin_project=keystone.projects.list( domain=new_user_domain_id, name="admin" )[0].id

admin_role=keystone.roles.list( name="admin" )[0]
member_role=keystone.roles.list( name="member" )[0]

new_user = keystone.users.create( new_username, new_user_domain_id, password=new_password )

keystone.roles.grant( admin_role, user=new_user, domain=new_user_domain_id )
keystone.roles.grant( admin_role, user=new_user, project=admin_project )
keystone.roles.grant( member_role, user=new_user, project=admin_project )
edit retag flag offensive close merge delete


It turns out that the session setup which I thought wasn't relevant to the problem is very relevant. To do domain administrator activities in the default conjure-up setup, you need a domain-scoped token, _not_ a project-scoped token. I'll write up an answer to this shortly.

Josh Fuhs gravatar imageJosh Fuhs ( 2019-09-05 07:13:01 -0600 )edit