<div dir="ltr">I'd like to create a non-admin project and user that are able to do nova.images.list(), in a Queens install.  IIUC, all users should be able to do that.  I'm afraid I'm pretty lost and would appreciate any help.<div><br></div><div>Define a function to test whether a particular set of credentials can do nova.images.list():</div><div><br></div><div><div>from keystoneauth1 import identity</div><div>from keystoneauth1 import session</div><div>from novaclient.client import Client as NovaClient</div><div><br></div><div><div>def attemp(auth):</div><div>    sess = session.Session(auth=auth)</div><div>    nova = NovaClient(2, session=sess)</div><div>    for i in nova.images.list():</div><div>        print i</div></div><div><br></div><div>With an admin user, things work:</div><div><br></div><div><div>>>> auth_url = "<a href="http://controller:5000/v3">http://controller:5000/v3</a>"</div><div>>>> auth = identity.Password(auth_url=auth_url,</div><div>>>>                               username="admin",</div><div>>>>                               password="abcdef",</div><div>>>>                               project_name="admin",</div><div>>>>                               project_domain_id="default",</div><div>>>>                               user_domain_id="default")</div></div><div>>>> attemp(auth)</div><div><div><Image: ipv6_enabled_image></div><div><Image: cirros-0.3.2-x86_64></div></div><div><br></div><div>With a non-admin user with project_id specified, 401:</div></div><div><br></div><div><div>>>> tauth = identity.Password(auth_url=auth_url,</div><div>...                               username="tenant2",</div><div>...                               password="password",</div><div>...                               project_id="tenant2",</div><div>...                               user_domain_id="default")</div><div>>>> attemp(tauth)</div><div>...</div><div>keystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-ed0630a4-7df0-4ba8-a4c4-de3ecb7b4d7d)<br></div></div><div><br></div><div>With the same but without project_id, I get an empty service catalog instead:</div><div><br></div><div><div>>>> tauth = identity.Password(auth_url=auth_url,</div><div>...                               username="tenant2",</div><div>...                               password="password",</div><div>...                               #project_name="tenant2",</div><div>...                               #project_domain_id="default",</div><div>...                               user_domain_id="default")</div><div>>>> </div><div>>>> attemp(tauth)</div><div>...</div><div>keystoneauth1.exceptions.catalog.EmptyCatalog: The service catalog is empty.<br></div></div><div><br></div><div>Can anyone help?</div><div><br></div><div>Regards,</div><div>     Neil</div><div><br></div></div>