I assume that by "v3 policy file" you're specifically referring to: https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.v3cloudsample.json Which essentially illustrates enforcement of a much more powerful authorization model than most deployers are familiar with today. You'll need to create and consume a domain-based role assignment, for example (do you have a role assigned to your user on the "default" domain? Are you accessing "openstack domain list" with a domain-scoped token?). Unless you're ready to experiment with that new policy model, the default policy file is also designed for v3 and it's behavior is probably what you're expecting: https://github.com/openstack/keystone/blob/f6c01dd1673b290578e9fff063e27104412ffeda/etc/policy.json Perhaps "policy.v3cloudsample.json" is poorly named if it implies that it's somehow a pre-requisite to getting started with the v3 API? On Wed, Jun 3, 2015 at 11:29 AM, Amy Zhang <amy.u.zhang at gmail.com> wrote: > Hi guys, > > I have installed Kilo and try to use identity v3. I am using v3 policy > file. I changed the domain_id for cloud admin as "default". As cloud admin, > I tried "openstack domain list" and got the error message saying that I was > not authorized. > > The part I changed in policy.json: > > "cloud_admin": "rule:admin_required and domain_id:default", > > > The error I got from "openstack domain list": > > ERROR: openstack You are not authorized to perform the requested action: > identity:create_domain (Disable debug mode to suppress these details.) > (HTTP 403) (Request-ID: req-2f42b1da-9933-4494-9b39-c1664d154377) > > Has anyone tried identity v3 in Kilo? Did you have this problem? Any > suggestions? > > Thanks > Amy > -- > Best regards, > Amy (Yun Zhang) > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150603/fcadd3ec/attachment.html>