<div dir="ltr"><div class="markdown-here-wrapper" style=""><p style="margin:0px 0px 1.2em!important">Hi all,</p>
<p style="margin:0px 0px 1.2em!important">My OpenStack version is Mitaka. I updated my <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">/etc/keystone/policy.json</code> to <a href="https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json">policy.v3cloudsample.json</a>. Most functions works as expected.</p>
<p style="margin:0px 0px 1.2em!important">However, when I wanted to list members in a group as a domain admin, an error occurred: “You are not authorized to perform the requested action: identity:list_users_in_group (HTTP 403)”.</p>
<p style="margin:0px 0px 1.2em!important">The reproduce steps are:</p>
<ul style="margin:1.2em 0px;padding-left:2em">
<li style="margin:0.5em 0px">As cloud admin:<ul style="margin:1.2em 0px;padding-left:2em;margin:0px;padding-left:1em">
<li style="margin:0.5em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">openstack domain create taiwan</code></li>
<li style="margin:0.5em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">openstack user create --domain taiwan --password 5ecret taiwan-president</code></li>
<li style="margin:0.5em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">openstack role add --user taiwan-president --domain taiwan admin</code></li>
</ul>
</li>
<li style="margin:0.5em 0px">As <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">taiwan-president</code>:<ul style="margin:1.2em 0px;padding-left:2em;margin:0px;padding-left:1em">
<li style="margin:0.5em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">openstack group create --domain taiwan indigenous</code></li>
<li style="margin:0.5em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">openstack user create --domain taiwan margaret</code></li>
<li style="margin:0.5em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">openstack group add user --group-domain taiwan indigenous margaret</code></li>
<li style="margin:0.5em 0px"><code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">openstack user list --group indigenous --domain taiwan</code></li>
</ul>
</li>
</ul>
<p style="margin:0px 0px 1.2em!important">The last command will generate the 403 error.</p>
<p style="margin:0px 0px 1.2em!important">The rule for <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">identity:list_users_in_group</code> is <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">rule:cloud_admin or rule:admin_and_matching_target_group_domain_id</code>. I can successfully list group members if I changed it to <code style="font-size:0.85em;font-family:Consolas,Inconsolata,Courier,monospace;margin:0px 0.15em;padding:0px 0.3em;white-space:pre-wrap;border:1px solid rgb(234,234,234);border-radius:3px;display:inline;background-color:rgb(248,248,248)">rule:admin_required</code>.</p>
<p style="margin:0px 0px 1.2em!important">Am I doing anything wrong? Or did I run into some kind of bug? Thanks for the help.</p>
<p style="margin:0px 0px 1.2em!important">John</p>
<div title="MDH:SGkgYWxsLDxkaXY+PGJyPjwvZGl2PjxkaXY+TXkgT3BlblN0YWNrIHZlcnNpb24gaXMgTWl0YWth
LiBJIHVwZGF0ZWQgbXkgYC9ldGMva2V5c3RvbmUvcG9saWN5Lmpzb25gIHRvIFtwb2xpY3kudjNj
bG91ZHNhbXBsZS5qc29uXSg8YSBocmVmPSJodHRwczovL2dpdGh1Yi5jb20vb3BlbnN0YWNrL2tl
eXN0b25lL2Jsb2IvbWFzdGVyL2V0Yy9wb2xpY3kudjNjbG91ZHNhbXBsZS5qc29uIiB0YXJnZXQ9
Il9ibGFuayIgZGF0YS1zYWZlcmVkaXJlY3R1cmw9Imh0dHBzOi8vd3d3Lmdvb2dsZS5jb20vdXJs
P3E9aHR0cHM6Ly9naXRodWIuY29tL29wZW5zdGFjay9rZXlzdG9uZS9ibG9iL21hc3Rlci9ldGMv
cG9saWN5LnYzY2xvdWRzYW1wbGUuanNvbiZhbXA7c291cmNlPWdtYWlsJmFtcDt1c3Q9MTQ3MDM2
NjU0MjM0NzAwMCZhbXA7dXNnPUFGUWpDTkhmYWNsMlpxaEptaWQ2eUQ0N0ZaTU1ROUlfa0EiPmh0
PHdicj50cHM6Ly9naXRodWIuY29tL29wZW5zdGFjay88d2JyPmtleXN0b25lL2Jsb2IvbWFzdGVy
L2V0Yy88d2JyPnBvbGljeS52M2Nsb3Vkc2FtcGxlLmpzb248L2E+KS4gTW9zdCBmdW5jdGlvbnMg
d29ya3MgYXMgZXhwZWN0ZWQuPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5Ib3dldmVyLCB3aGVu
IEkgd2FudGVkIHRvIGxpc3QgbWVtYmVycyBpbiBhIGdyb3VwIGFzIGEgZG9tYWluIGFkbWluLCBh
biBlcnJvciBvY2N1cnJlZDogIjxzcGFuIHN0eWxlPSJsaW5lLWhlaWdodDpub3JtYWwiPllvdSBh
cmUgbm90IGF1dGhvcml6ZWQgdG8gcGVyZm9ybSB0aGUgcmVxdWVzdGVkIGFjdGlvbjogaWRlbnRp
dHk6bGlzdF91c2Vyc19pbl9ncm91cCAoSFRUUCA0MDMpIi48L3NwYW4+PC9kaXY+PGRpdj48c3Bh
biBzdHlsZT0ibGluZS1oZWlnaHQ6bm9ybWFsIj48YnI+PC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4g
c3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+VGhlIHJlcHJvZHVjZSBzdGVwcyBhcmU6PC9zcGFu
PjwvZGl2PjxkaXY+PHNwYW4gc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+PGJyPjwvc3Bhbj48
L2Rpdj48ZGl2PjxzcGFuIHN0eWxlPSJsaW5lLWhlaWdodDpub3JtYWwiPi0gQXMgY2xvdWQgYWRt
aW46PC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4gc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+Jm5i
c3A7ICZuYnNwOyAtIGBvcGVuc3RhY2sgZG9tYWluIGNyZWF0ZSB0YWl3YW5gPC9zcGFuPjwvZGl2
PjxkaXY+PHNwYW4gc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+Jm5ic3A7ICZuYnNwOzwvc3Bh
bj48c3BhbiBzdHlsZT0ibGluZS1oZWlnaHQ6bm9ybWFsIj4mbmJzcDs8L3NwYW4+PHNwYW4gc3R5
bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+LSBgb3BlbnN0YWNrIHVzZXIgY3JlYXRlIC0tZG9tYWlu
IHRhaXdhbiAtLXBhc3N3b3JkIDVlY3JldCB0YWl3YW4tcHJlc2lkZW50YDwvc3Bhbj48L2Rpdj48
ZGl2PjxzcGFuIHN0eWxlPSJsaW5lLWhlaWdodDpub3JtYWwiPiZuYnNwOyAmbmJzcDs8L3NwYW4+
PHNwYW4gc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+Jm5ic3A7PC9zcGFuPjxzcGFuIHN0eWxl
PSJsaW5lLWhlaWdodDpub3JtYWwiPi0gYG9wZW5zdGFjayByb2xlIGFkZCAtLXVzZXIgdGFpd2Fu
LXByZXNpZGVudCAtLWRvbWFpbiB0YWl3YW4gYWRtaW5gPC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4g
c3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+LSBBcyBgdGFpd2FuLXByZXNpZGVudGA6PC9zcGFu
PjwvZGl2PjxkaXY+PHNwYW4gc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+Jm5ic3A7ICZuYnNw
OyAtIGBvcGVuc3RhY2sgZ3JvdXAgY3JlYXRlIC0tZG9tYWluIHRhaXdhbiZuYnNwO2luZGlnZW5v
dXNgPC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4gc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+Jm5i
c3A7ICZuYnNwOyAtIGBvcGVuc3RhY2sgdXNlciBjcmVhdGUgLS1kb21haW4gdGFpd2FuIG1hcmdh
cmV0YDwvc3Bhbj48L2Rpdj48ZGl2PjxzcGFuIHN0eWxlPSJsaW5lLWhlaWdodDpub3JtYWwiPiZu
YnNwOyAmbmJzcDsgLSBgb3BlbnN0YWNrIGdyb3VwIGFkZCB1c2VyIC0tZ3JvdXAtZG9tYWluIHRh
aXdhbiZuYnNwO2luZGlnZW5vdXMmbmJzcDttYXJnYXJldGA8L3NwYW4+PC9kaXY+PGRpdj48c3Bh
biBzdHlsZT0ibGluZS1oZWlnaHQ6bm9ybWFsIj4mbmJzcDsgJm5ic3A7IC0gYG9wZW5zdGFjayB1
c2VyIGxpc3QgLS1ncm91cCZuYnNwO2luZGlnZW5vdXMmbmJzcDstLWRvbWFpbiB0YWl3YW5gPC9z
cGFuPjwvZGl2PjxkaXY+PHNwYW4gc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+PGJyPjwvc3Bh
bj48L2Rpdj48ZGl2PjxzcGFuIHN0eWxlPSJsaW5lLWhlaWdodDpub3JtYWwiPlRoZSBsYXN0IGNv
bW1hbmQgd2lsbCBnZW5lcmF0ZSB0aGUgNDAzIGVycm9yLjwvc3Bhbj48L2Rpdj48ZGl2PjxzcGFu
IHN0eWxlPSJsaW5lLWhlaWdodDpub3JtYWwiPjxicj48L3NwYW4+PC9kaXY+PGRpdj48c3BhbiBz
dHlsZT0ibGluZS1oZWlnaHQ6bm9ybWFsIj5UaGUgcnVsZSBmb3IgYGlkZW50aXR5Omxpc3RfdXNl
cnNfaW5fZ3JvdXBgIGlzIGBydWxlOmNsb3VkX2FkbWluIG9yIHJ1bGU6YWRtaW5fYW5kX21hdGNo
aW5nXzx3YnI+dGFyZ2V0X2dyb3VwX2RvbWFpbl9pZGAuIEkgY2FuIHN1Y2Nlc3NmdWxseSBsaXN0
IGdyb3VwIG1lbWJlcnMgaWYgSSBjaGFuZ2VkIGl0IHRvIGBydWxlOmFkbWluX3JlcXVpcmVkYC48
L3NwYW4+PGJyPjwvZGl2PjxkaXY+PHNwYW4gc3R5bGU9ImxpbmUtaGVpZ2h0Om5vcm1hbCI+PGJy
Pjwvc3Bhbj48L2Rpdj48ZGl2PjxzcGFuIHN0eWxlPSJsaW5lLWhlaWdodDpub3JtYWwiPkFtIEkg
ZG9pbmcgYW55dGhpbmcgd3Jvbmc/IE9yIGRpZCBJIHJ1biBpbnRvIHNvbWUga2luZCBvZiBidWc/
IFRoYW5rcyBmb3IgdGhlIGhlbHAuPC9zcGFuPjwvZGl2PjxkaXY+PHNwYW4gc3R5bGU9ImxpbmUt
aGVpZ2h0Om5vcm1hbCI+PGJyPjwvc3Bhbj48L2Rpdj48ZGl2PjxzcGFuIHN0eWxlPSJsaW5lLWhl
aWdodDogbm9ybWFsOyI+Sm9objwvc3Bhbj48YnI+PC9kaXY+" style="height:0;width:0;max-height:0;max-width:0;overflow:hidden;font-size:0em;padding:0;margin:0">​</div></div></div>