Thanks. After I sent the mail, we had a good conversation with Rabi and understood the whole background. Horizon will try to support better keystone v3 support in Ocata cycle. 2016-09-21 22:47 GMT+09:00 Zane Bitter <zbitter at redhat.com>: > On 21/09/16 03:30, Akihiro Motoki wrote: > >> Hi, >> >> The default policy.json provided by heat limits 'service-list' API to >> 'admin' project like below. >> Is there any reason 'admin' role user in non-'admin' project cannot >> see service-list? >> > > https://bugs.launchpad.net/keystone/+bug/968696 > > "service:index": "rule:context_is_admin", >> "context_is_admin": "role:admin and is_admin_project:True", >> >> I noticed this when investigating a horizon bug >> https://bugs.launchpad.net/horizon/+bug/1624834. >> horizon currently has a bit different policy engine and it does not >> support is_admin_project:True. >> We would like to know the background of this default configuration. >> >> Thanks, >> Akihiro >> >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscrib >> e >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160922/6e352313/attachment.html>