[Openstack] Keystone: Get Project List not working with domain admin token

Ratnadeep Bhattacharjee bhatt246 at yahoo.com
Tue Feb 17 23:26:32 UTC 2015

I have set up my openstack environment with V3 Keystone domains enabled after reading a few blogs (notably this one: http://www.florentflament.com/blog/setting-keystone-v3-domains.html). I am not able to get the list of projects in a given domain when querying as the domain admin. Below are the steps I followed:
1. I created an admin domain and added the ID of the domain to my new policy.json file (which is a copy of the latest policy.v3cloudsample.json): "admin_required": "role:admin", "cloud_admin": "rule:admin_required and domain_id:43eebba390b64b86ad073f690f76ee7f", "service_role": "role:service",....
2. Restarted keystone.
3. I went ahead and created a new domain: dom1. A new user (admin1) for that domain and assigned admin role to that user. admin1 is now supposed to be the domain admin for dom1. I logged in as admin1 with scope set to domain id of dom1 and have a valid token as well. The body of the post request was as follows: 
{    "auth": {        "identity": {            "methods": [                "password"            ],            "password": {                "user": {                    "domain": {                        "id": "6a530272037f4672b41e5be12b2d1670"                    },                    "name": "admin1",                    "password": "admin123"                }            }        },        "scope": {            "domain": {                "id": "6a530272037f4672b41e5be12b2d1670"            }        }    }}
4. I then created two projects in the domain dom1. 
5. Now when I try to get a list of all the projects in that domain using HTTP GET  /keystone/v3/projects API call (and passing the admin1 login token) I get a 403 error with the following response: 
   - "error": {      
      - "code": 403,
      - "message": "You are not authorized to perform the requested action: identity:list_projects",
      - "title": "Forbidden"

What am I missing? Would really appreciate any pointers...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150217/100b731a/attachment.html>

More information about the Openstack mailing list