[openstack-dev] Kilo v3 identity problems

Dolph Mathews dolph.mathews at gmail.com
Wed Jun 3 18:16:55 UTC 2015


I assume that by "v3 policy file" you're specifically referring to:


https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.v3cloudsample.json

Which essentially illustrates enforcement of a much more powerful
authorization model than most deployers are familiar with today. You'll
need to create and consume a domain-based role assignment, for example (do
you have a role assigned to your user on the "default" domain? Are you
accessing "openstack domain list" with a domain-scoped token?).

Unless you're ready to experiment with that new policy model, the default
policy file is also designed for v3 and it's behavior is probably what
you're expecting:


https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.json

Perhaps "policy.v3cloudsample.json" is poorly named if it implies that it's
somehow a pre-requisite to getting started with the v3 API?

On Wed, Jun 3, 2015 at 11:29 AM, Amy Zhang <amy.u.zhang at gmail.com> wrote:

> Hi guys,
>
> I have installed Kilo and try to use identity v3. I am using v3 policy
> file. I changed the domain_id for cloud admin as "default". As cloud admin,
> I tried "openstack domain list" and got the error message saying that I was
> not authorized.
>
> The part I changed in policy.json:
>
> "cloud_admin": "rule:admin_required and domain_id:default",
>
>
> The error I got from "openstack domain list":
>
> ERROR: openstack You are not authorized to perform the requested action:
> identity:create_domain (Disable debug mode to suppress these details.)
> (HTTP 403) (Request-ID: req-2f42b1da-9933-4494-9b39-c1664d154377)
>
> Has anyone tried identity v3 in Kilo? Did you have this problem? Any
> suggestions?
>
> Thanks
> Amy
> --
> Best regards,
> Amy (Yun Zhang)
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150603/fcadd3ec/attachment.html>


More information about the OpenStack-dev mailing list