Assign a role to only list users keystone policy.json

asked 2015-03-03 09:30:59 -0600

JonasH gravatar image

I would like to create a role that has special permission to list users. But should not be admin. Running openstack Icehouse

I am trying to modify the keystone policy.json and tried different settings. eg.

"identity:list_users": "role:tokenadmin", and "admin_or_tokenadm": "rule:admin_required or role:tokenadmin",

and then "identity:list_users": "rule:admin_or_tokenadm",

But a user with the tokenadmin role get

You are not authorized to perform the requested action, admin_required. (HTTP 403) when trying to run keystone user-list

Is this possible?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2015-03-03 12:56:32 -0600

If you want to define/use roles, you need to use keystone v3 apis. If you plan to use keystone v3 api, you should start using openstack client and not keystone command line client as it doesn't support v3 apis.

BTW changing the line identity:list_users has effect only in keystone v3

edit flag offensive delete link more


Okey but what if we want a custom horizion dashboard that lists user. Sort of the same way as the identy panel does. Do horizon then need to work with keystone v3 api?

JonasH gravatar imageJonasH ( 2015-03-03 13:20:04 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-03-03 09:30:59 -0600

Seen: 564 times

Last updated: Mar 03 '15