<html><body><p>If you're using oslo.policy (this is in Kilo and newer) then you shouldn't have to restart Keystone for the changes to policy.json to take affect, but it doesn't hurt.<br><br>I suggest looking to make sure the role 'project_admin' was actually assigned to the user in that project. You can use the command `keystone user-role-list` for that.<br><br>Thanks,<br><br>Steve Martinelli<br>OpenStack Keystone Core<br><br><img width="16" height="16" src="cid:1__=8FBBF43FDF82A1F08f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for Jonathan Proulx ---2015/08/24 03:46:10 PM---HI, I want to create a 'project_admin' role with the abil"><font color="#424282">Jonathan Proulx ---2015/08/24 03:46:10 PM---HI, I want to create a 'project_admin' role with the ability to add and</font><br><br><font size="2" color="#5F5F5F">From: </font><font size="2">Jonathan Proulx <jon@jonproulx.com></font><br><font size="2" color="#5F5F5F">To: </font><font size="2">"openstack@lists.openstack.org" <openstack@lists.openstack.org></font><br><font size="2" color="#5F5F5F">Date: </font><font size="2">2015/08/24 03:46 PM</font><br><font size="2" color="#5F5F5F">Subject: </font><font size="2">[Openstack] Keystone policy to allow project_admins to add (existing) users to their projects</font><br><hr width="100%" size="2" align="left" noshade style="color:#8091A5; "><br><br><br><tt>HI,<br><br>I want to create a 'project_admin' role with the ability to add and<br>remove existing users from the project in which one has this role.<br>But it's not working as I thought. Here's what I tried in policy.json<br>(note #comments are not in the json file):<br><br># set up the rules<br> "project_admin": "project_id:%(project_id)s and role:project_admin",<br> "admin_or_proj_admin": "rule:admin_required or rule:admin_or_proj_admin",<br># grant role to some things that were previously rule:admin_required<br> "identity:get_project": "rule:admin_or_proj_admin",<br> "identity:update_project": "rule:admin_or_proj_admin",<br> "identity:get_user": "rule:admin_or_proj_admin",<br> "identity:get_role": "rule:admin_or_proj_admin",<br> "identity:create_grant": "rule:admin_or_proj_admin",<br> "identity:revoke_grant": "rule:admin_or_proj_admin",<br> "identity:list_role_assignments": "rule:admin_or_proj_admin",<br><br>I'd started off with a smaller set (just the create_grant and<br>revoke_grant) but added more access due to failures, but still not<br>working.<br><br>what I did:<br><br>restarted keystone after editing policy.json (is this required?)<br><br># as admin user<br> keystone user-role-add --user jon --role project_admin --tenant test-group<br><br># as user 'jon'<br> keystone --debug --os-tenant-name test-group user-role-add --user<br>jon-test --role _member_ --tenant test-group<br>DEBUG:keystoneclient.auth.identity.v2:Making authentication request to<br></tt><tt><a href="https://keystone:5001/v2.0/tokens">https://keystone:5001/v2.0/tokens</a></tt><tt><br>INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone<br>DEBUG:urllib3.connectionpool:Setting read timeout to 600.0<br>DEBUG:urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 4915<br>DEBUG:keystoneclient.session:REQ: curl -i -X GET<br></tt><tt><a href="https://keystone:35358/v2.0/users/jon-test">https://keystone:35358/v2.0/users/jon-test</a></tt><tt> -H "User-Agent:<br>python-keystoneclient" -H "X-Auth-Token: <redacted>"<br>INFO:urllib3.connectionpool:Starting new HTTPS connection (1): keystone<br>DEBUG:urllib3.connectionpool:Setting read timeout to 600.0<br>DEBUG:urllib3.connectionpool:"GET /v2.0/users/jon-test HTTP/1.1" 403 131<br>DEBUG:keystoneclient.session:RESP:<br>DEBUG:keystoneclient.session:Request returned failure status: 403<br>You are not authorized to perform the requested action: admin_required<br>(HTTP 403)<br><br>am I tweaking the wrong rules or is something deeper in my way?<br><br>Thanks,<br>-Jon<br><br>_______________________________________________<br>Mailing list: </tt><tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></tt><tt><br>Post to : openstack@lists.openstack.org<br>Unsubscribe : </tt><tt><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></tt><tt><br><br></tt><br><br><BR>
</body></html>