<div dir="ltr">Hi Eugen,<div><br></div><div>I have no problem with the cloud admin, so I guess your workaround doesn't work for me. What disturbing me is the unexpected behavior of the domain admin.</div><div><br></div><div>John</div></div><br><div class="gmail_quote"><div dir="ltr">Eugen Block <<a href="mailto:eblock@nde.ag">eblock@nde.ag</a>> 於 2016年8月4日 週四 下午3:34寫道:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I had a similar issue recently [1], I had to adjust my policy file<br>
because for some reason "domain_id:default" was not applied, instead I<br>
use "user_domain_id:default" which works fine now.<br>
<br>
---cut here---<br>
control1:~ # grep "\"cloud_admin\":" /etc/keystone/policy.json<br>
"cloud_admin": "rule:admin_required and (domain_id:default or<br>
user_domain_id:default)",<br>
---cut here---<br>
<br>
And I added it as an OR statement as a workaround to keep the original<br>
statement. Hope this helps!<br>
<br>
Regards,<br>
Eugen<br>
<br>
[1] <a href="http://lists.openstack.org/pipermail/openstack/2016-June/016454.html" rel="noreferrer" target="_blank">http://lists.openstack.org/pipermail/openstack/2016-June/016454.html</a><br>
<br>
<br>
Zitat von 林自均 <<a href="mailto:johnlinp@gmail.com" target="_blank">johnlinp@gmail.com</a>>:<br>
<br>
> Hi all,<br>
><br>
> My OpenStack version is Mitaka. I updated my /etc/keystone/policy.json to<br>
> policy.v3cloudsample.json<br>
> <<a href="https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json" rel="noreferrer" target="_blank">https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json</a>>.<br>
> Most functions works as expected.<br>
><br>
> However, when I wanted to list members in a group as a domain admin, an<br>
> error occurred: “You are not authorized to perform the requested action:<br>
> identity:list_users_in_group (HTTP 403)”.<br>
><br>
> The reproduce steps are:<br>
><br>
> - As cloud admin:<br>
> - openstack domain create taiwan<br>
> - openstack user create --domain taiwan --password 5ecret<br>
> taiwan-president<br>
> - openstack role add --user taiwan-president --domain taiwan admin<br>
> - As taiwan-president:<br>
> - openstack group create --domain taiwan indigenous<br>
> - openstack user create --domain taiwan margaret<br>
> - openstack group add user --group-domain taiwan indigenous margaret<br>
> - openstack user list --group indigenous --domain taiwan<br>
><br>
> The last command will generate the 403 error.<br>
><br>
> The rule for identity:list_users_in_group is rule:cloud_admin or<br>
> rule:admin_and_matching_target_group_domain_id. I can successfully list<br>
> group members if I changed it to rule:admin_required.<br>
><br>
> Am I doing anything wrong? Or did I run into some kind of bug? Thanks for<br>
> the help.<br>
><br>
> John<br>
> <br>
<br>
<br>
<br>
--<br>
Eugen Block voice : +49-40-559 51 75<br>
NDE Netzdesign und -entwicklung AG fax : +49-40-559 51 77<br>
Postfach 61 03 15<br>
D-22423 Hamburg e-mail : <a href="mailto:eblock@nde.ag" target="_blank">eblock@nde.ag</a><br>
<br>
Vorsitzende des Aufsichtsrates: Angelika Mozdzen<br>
Sitz und Registergericht: Hamburg, HRB 90934<br>
Vorstand: Jens-U. Mozdzen<br>
USt-IdNr. DE 814 013 983<br>
<br>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</blockquote></div>