[Openstack] [Keystone] List group members with policy.v3cloudsample.json
林自均
johnlinp at gmail.com
Thu Aug 4 03:20:07 UTC 2016
Hi all,
My OpenStack version is Mitaka. I updated my /etc/keystone/policy.json to
policy.v3cloudsample.json
<https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json>.
Most functions works as expected.
However, when I wanted to list members in a group as a domain admin, an
error occurred: “You are not authorized to perform the requested action:
identity:list_users_in_group (HTTP 403)”.
The reproduce steps are:
- As cloud admin:
- openstack domain create taiwan
- openstack user create --domain taiwan --password 5ecret
taiwan-president
- openstack role add --user taiwan-president --domain taiwan admin
- As taiwan-president:
- openstack group create --domain taiwan indigenous
- openstack user create --domain taiwan margaret
- openstack group add user --group-domain taiwan indigenous margaret
- openstack user list --group indigenous --domain taiwan
The last command will generate the 403 error.
The rule for identity:list_users_in_group is rule:cloud_admin or
rule:admin_and_matching_target_group_domain_id. I can successfully list
group members if I changed it to rule:admin_required.
Am I doing anything wrong? Or did I run into some kind of bug? Thanks for
the help.
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160804/26cb2f41/attachment.html>
More information about the Openstack
mailing list