[Openstack] list members of a project

Jagga Soorma jagga13 at gmail.com
Thu Apr 21 03:36:05 UTC 2016


Yea so I was able to get the list of users as the cloud admin using
the "openstack
user list --project proj --domain domain" command.

However, I can't seem to do this as the domain admin (admin on both domain
and project):

--
$ openstack user list --project proj --domain domain
You are not authorized to perform the requested action:
identity:list_role_assignments (HTTP 403) (Request-ID:
req-74e1a7e9-e0c3-4163-b803-8cd647a62511)
--

But looks I should based on:

--
$ sudo grep -i list_role_assignment /etc/keystone/policy.json
    "identity:list_role_assignments": "rule:admin_on_domain_filter or
rule:admin_on_project_filter",
--

Any idea what I am missing here.  Based on the above rule I should be able
to get that list of users in a specific project.  Here is proof that I am a
admin on the domain:

--
$ openstack user show user1 --domain domain | grep -i id | grep -v dom
| id        | 436bd5d0a67ba371e603b9b023acd66542cfcdf2e7ec4221fcfd69c2e66102ff
|

$ openstack role list --user 436bd5d0a67ba371e603b9b023acd6
6542cfcdf2e7ec4221fcfd69c2e66102ff --domain domain | grep -i user1
| 530dbdae538e4faa8f37dab516669e74 | admin | domain | user1 |
--

Thanks.

On Wed, Apr 20, 2016 at 7:15 PM, Remo Mattei <remo at italy1.com> wrote:

> you should really move to the openstack command like openstack user list
> (example)
>
> Remo
>
> On Apr 20, 2016, at 16:40, Steve Heyman <steve.heyman at RACKSPACE.COM
> <steve.heyman at rackspace.com>> wrote:
>
> I think keystone user-list does this.  See
> http://docs.openstack.org/developer/keystone/cli_examples.html#user-list
>
> <signature-with-mafia[2][14].png>
>
> From: Jagga Soorma <jagga13 at gmail.com>
> Date: Wednesday, April 20, 2016 at 6:20 PM
> To: openstack <openstack at lists.openstack.org>
> Subject: [Openstack] list members of a project
>
> Hi Guys,
>
> So I am able to find out what role a user has for a specific project, but
> have not been able to find a way to list all members in a given project.
> Is this doable?  Is there a way I can get all members of a existing project
> from cli?  Don't think horizon exposes this information either.
>
> Thanks!
> !DSPAM:1,571814d8173809009228068!
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> !DSPAM:1,571814d8173809009228068!
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160420/4c430106/attachment.html>


More information about the Openstack mailing list