Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Can't create project inside newly created domain

Hello,

I've created second domain named "second" and user "second" which have admin role in new domain.

$ openstack role assignment list --user 2ed4cfaa37be4c48aec75f45d3cf7cdd --project-domain second --names
+-------+---------------+-------+--------------+--------+-----------+
| Role  | User          | Group | Project      | Domain | Inherited |
+-------+---------------+-------+--------------+--------+-----------+
| admin | second@second |       | test1@second |        | False     |
| admin | second@second |       |              | second | False     |
+-------+---------------+-------+--------------+--------+-----------+

I'm using devstack based on Queens release and python-openstackclient(3.15.0)

This is my environment variables:

$ env | grep OS_
OS_PROJECT_DOMAIN_ID=460383fc9c744ab085c5d6a7eb1e998f
OS_REGION_NAME=RegionOne
OS_USER_DOMAIN_ID=460383fc9c744ab085c5d6a7eb1e998f
OS_PROJECT_NAME=test1
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=***
OS_AUTH_TYPE=password
OS_AUTH_URL=http://<my_ip>/identity/v3
OS_USERNAME=second
OS_TENANT_NAME=test1
OS_VOLUME_API_VERSION=2

But inside newly created domain I can't create new project using user 'second'(i can only list projects)

$ openstack project list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 38d524581ac04832adaa2936c64e2fd6 | test1 |
+----------------------------------+-------+

$ openstack project create test2
You are not authorized to perform the requested action: identity:create_project. (HTTP 403) (Request-ID: req-a760065a-1e79-4276-bc04-8d893f737f30)

I'm using this policy rules: https://raw.githubusercontent.com/openstack/keystone/master/etc/policy.v3cloudsample.json

Could someone help me with this? I would be very grateful. I'm trying to fix this for few days but it doesn't bring any results :/