[Openstack] [Keystone] List group members with policy.v3cloudsample.json

林自均 johnlinp at gmail.com
Thu Aug 4 03:20:07 UTC 2016

Hi all,

My OpenStack version is Mitaka. I updated my /etc/keystone/policy.json to
Most functions works as expected.

However, when I wanted to list members in a group as a domain admin, an
error occurred: “You are not authorized to perform the requested action:
identity:list_users_in_group (HTTP 403)”.

The reproduce steps are:

   - As cloud admin:
      - openstack domain create taiwan
      - openstack user create --domain taiwan --password 5ecret
      - openstack role add --user taiwan-president --domain taiwan admin
   - As taiwan-president:
      - openstack group create --domain taiwan indigenous
      - openstack user create --domain taiwan margaret
      - openstack group add user --group-domain taiwan indigenous margaret
      - openstack user list --group indigenous --domain taiwan

The last command will generate the 403 error.

The rule for identity:list_users_in_group is rule:cloud_admin or
rule:admin_and_matching_target_group_domain_id. I can successfully list
group members if I changed it to rule:admin_required.

Am I doing anything wrong? Or did I run into some kind of bug? Thanks for
the help.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160804/26cb2f41/attachment.html>

More information about the Openstack mailing list