[Openstack] Keystone: Get Project List not working with domain admin token

Ratnadeep Bhattacharjee bhatt246 at yahoo.com
Wed Feb 18 23:34:23 UTC 2015

GET /projects?domain_id=<domain is for dom1> did the trick. Thanks so much, Henry. 

     On Wednesday, February 18, 2015 5:20 AM, Henry Nash <henry.nash at uk.ibm.com> wrote:

So one thing to try is to pass the domain_id as a filter to list projects, I.e.:
GET /projects?domain_id=<domain is for dom1>
I thought that a domain scoped token would have been sufficient, but let's try that.  Could you also send me your policy file so I can check it?

On 17 Feb 2015, at 23:29, Ratnadeep Bhattacharjee <bhatt246 at yahoo.com> wrote:

I have set up my openstack environment with V3 Keystone domains enabled after reading a few blogs (notably this one: http://www.florentflament.com/blog/setting-keystone-v3-domains.html). I am not able to get the list of projects in a given domain when querying as the domain admin. Below are the steps I followed:
1. I created an admin domain and added the ID of the domain to my new policy.json file (which is a copy of the latest policy.v3cloudsample.json): "admin_required": "role:admin", "cloud_admin": "rule:admin_required and domain_id:43eebba390b64b86ad073f690f76ee7f", "service_role": "role:service",....
2. Restarted keystone.
3. I went ahead and created a new domain: dom1. A new user (admin1) for that domain and assigned admin role to that user. admin1 is now supposed to be the domain admin for dom1. I logged in as admin1 with scope set to domain id of dom1 and have a valid token as well. The body of the post request was as follows: 
{    "auth": {        "identity": {            "methods": [                "password"            ],            "password": {                "user": {                    "domain": {                        "id": "6a530272037f4672b41e5be12b2d1670"                    },                    "name": "admin1",                    "password": "admin123"                }            }        },        "scope": {            "domain": {                "id": "6a530272037f4672b41e5be12b2d1670"            }        }    }}
4. I then created two projects in the domain dom1. 
5. Now when I try to get a list of all the projects in that domain using HTTP GET  /keystone/v3/projects API call (and passing the admin1 login token) I get a 403 error with the following response: 
   - "error": {      
      - "code": 403,
      - "message": "You are not authorized to perform the requested action: identity:list_projects",
      - "title": "Forbidden"

What am I missing? Would really appreciate any pointers...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150218/06fee025/attachment.html>

More information about the Openstack mailing list