3

I set up keystone v3, and then created a domain dom1, a user adm1 and grant this user to admin role. Authenticate this user with domain scope. Then create a project under dom1. I tried to list projects with the same token that created the project. All I got is "You are not authorized to perform the requested action: identity:list_projects".

If I take out the rule domain_id:%(domain_id)s in policy.v3cloudsample.json for "identity:list_projects", everything works well.

Why cannot I list projects with the rule domain_id:%(domain_id)s? Thanks.

talihsu
  • 175
  • 3
  • 13

1 Answers1

1

According to OpenStack API document, the API URL of listing projects must be filtered with domain ID. So in policy,json, domain_id:%(domain_id)s of identity:list_projects means the domain ID in URL filter must be equal to the domain ID that the token is scoped.

talihsu
  • 175
  • 3
  • 13