Ask Your Question

Not authorized to list projects with keystone v3?

asked 2015-07-06 00:49:44 -0600

Joe gravatar image

I set up keystone v3, and then created a domain dom1, a user adm1 and grant this user to admin role. Authenticate this user with domain scope. Then create a project under dom1. I tried to list projects with the same token that created the project. All I got is "You are not authorized to perform the requested action: identity:list_projects".

If I take out the rule domain_id:%(domain_id)s in policy.v3cloudsample.json for "identity:list_projects", everything works well.

Why cannot I list projects with the rule domain_id:%(domain_id)s? Thanks.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-08-06 03:34:46 -0600

Joe gravatar image

According to OpenStack API document, the API URL of listing projects must be filtered with domain ID. So in policy,json, domain_id:%(domain_id)s of identity:list_projects means the domain ID in URL filter must be equal to the domain ID that the token is scoped.

edit flag offensive delete link more


To expand on this, since I just got hung up on the same issue; if you're using the OSC CLI, "openstack project list" will fail for a domain-admin, but "openstack project list --domain <domain_id>" should work, because it creates a filter with domain ID matching the admin role assignment.

Dseven gravatar imageDseven ( 2016-08-03 14:49:00 -0600 )edit

answered 2015-07-06 10:24:24 -0600

Did you replace domain_id in "domain_id:%(domain_id)s" rule with a valid domain+id ? I believe you haven't done that. list_projects is allowed only for "cloud_admin" as per that policy file.

In first case, since the token's domain_id doesn't match the domain_id in the rule, it throws authorization error.

In the second case, If you remove that entry, then cloud_admin is anyone who has "admin" role. Since your user has "admin" role it works.

edit flag offensive delete link more


I replaced domain_id with a valid domain id, and it worked. How do I interpret domain_id:%(domain_id)s? Thanks.

Joe gravatar imageJoe ( 2015-07-07 02:04:40 -0600 )edit

@Joe, did it ever worked for you??

bickyii gravatar imagebickyii ( 2015-10-05 11:59:43 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-07-06 00:49:44 -0600

Seen: 3,604 times

Last updated: Aug 06 '15