Project specific admin unable to list users or use horizon

asked 2016-10-28 10:41:49 -0600

theque42 gravatar image

I've now tried everything I can in my mitaka installation, to create a project specifik admin user.

I have the default domain and the admin user there, and he's capable of managing everything. (Although I had to use the admin_project_name setting in keystone.conf to get it to work. It dont NOT work with just updating the domain-version of policy.json to have the "cloud_admin" rule with the default domain id that I use for domain wide admin. Maybe the default domain is not allowed for this?)

Anyway. I've created a separate Cloud1 domain, with a student1 user, and an "admin1" user. The admin1 user has the admin role on the StackLab project, belonging to domain Cloud1.

[root@ctrl ~(admin)]# openstack domain list
| ID                               | Name    | Enabled | Description              |
| 9be0c728dfa34a7e90efa0863bf1c7ad | Cloud1  | True    |                          |
| default                          | Default | True    | The default domain       |
| f0c0c7998c40494790af7bcd1928e658 | heat    | True    | Stack projects and users |
[root@ctrl ~(admin)]# openstack project list | grep StackLab1
| 67c057142c2b4dfb834fd08266d2b9ce | StackLab1 |
[root@ctrl ~(admin)]# openstack role list | grep "admin|user"
| 08409e0f623642c1a56a8a759546d4f2 | user             |
| 3fc27525b7f34fe3a211e5e4e0fbaab5 | heat_stack_user  |
| b05f6fad45e8403aa4f321e6622897d4 | admin            |
[root@ctrl ~(admin)]# openstack role assignment list --user admin1
| Role                             | User                             | Group | Project                          | Domain | Inherited |
| 08409e0f623642c1a56a8a759546d4f2 | 5377c82f65244de28708cd1b40d1cbd7 |       | 67c057142c2b4dfb834fd08266d2b9ce |        | False     |
| b05f6fad45e8403aa4f321e6622897d4 | 5377c82f65244de28708cd1b40d1cbd7 |       | 67c057142c2b4dfb834fd08266d2b9ce |        | False     |
[root@ctrl ~(admin)]# cat /root/admin1.rc
export OS_PROJECT_NAME=StackLab1
export OS_USERNAME=admin1
export OS_PASSWORD=admin1
export OS_AUTH_URL=
[root@ctrl ~(admin)]# . /root/admin1.rc
[root@ctrl ~(admin1)]# openstack user list
You are not authorized to perform the requested action: identity:list_users (HTTP 403) (Request-ID: req-31a03d54-b84f-481b-98ae-c054cf9e9e20)
[root@ctrl ~(admin1)]# grep "identity:list_users|admin_and_matching_domain_id\":|cloud_admin\":" /etc/keystone/policy.json
    "cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:default)",
    "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
    "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",
    "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id",
[root@ctrl ~(admin1)]#

I have even used tcpdump on :35357 and checked that the token that openstack CLI is receiving says:

HTTP/1.1 201 Created.
Date: Fri, 28 Oct 2016 15:11:21 GMT.
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5.
X-Subject-Token: gAAAAABYE2qZ61mmocCgfwNl9Ct0jxE6z34b22Kwg_HPX5skFgwyxbWazfmrYGzkmry2WwI0322S2SUySnJIr23LPetFkPo0P4Q05ppasvStBKVJsYEKKGm3yHG1MNe9BmvxbqCW_-0KUHVXaX5o2JySX11XNOzeCD6jthtN8qDPK-XfUMT1H1o.
Vary: X-Auth-Token.
x-openstack-request-id: req-123cb4c0-0864-4c87-9ac8-6c39b8d0a947.
Content-Length: 7306.
Keep-Alive: timeout=5, max=98.
Connection: Keep-Alive.
Content-Type: application/json.
    "token": {
        "methods": ["password"],
        "roles": [{
                "id": "b05f6fad45e8403aa4f321e6622897d4",
                "name": "admin"
            }, {
                "id": "08409e0f623642c1a56a8a759546d4f2",
                "name": "user"
        "expires_at": "2016-10-28T16:11:21.252914Z",
        "project": {
            "domain": {
                "id": "9be0c728dfa34a7e90efa0863bf1c7ad",
                "name": "Cloud1"
            "id": "67c057142c2b4dfb834fd08266d2b9ce",
            "name": "StackLab1"
        "user": {
            "domain": {
                "id": "9be0c728dfa34a7e90efa0863bf1c7ad",
                "name": "Cloud1"
            "id": "5377c82f65244de28708cd1b40d1cbd7",
            "name": "admin1"
        "audit_ids": ["GdcWpJ5RRF2CAscZdqIxVg"],
        "issued_at": "2016-10-28T15:11:21.000000Z"

Which to me implies that I have a token scoped to my project, WITH admin role. Using horizon allows the admin user to login, but he cant see s**t, since he's not allowed to list projects or users, or anything it seems...

What is missing?!?!?! Why is the information on creating different domain/project specific admins so...sparse!?

edit retag flag offensive close merge delete