Public bug reported: >From the policy.json of the V3 API:
"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", "identity:list_projects": "rule:admin_required and domain_id:%(domain_id)s", ... "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", This specify that if an admin user of a domain ask for GET /v3/users /<domain-id>/ then this later will only work if token was scoped in the this domain but not if it was scoped in a project in that domain. A patch is coming soon that hopefully will clarify more. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1338550 Title: V3 API project/user/group list only work with domain scoped token Status in OpenStack Identity (Keystone): New Bug description: From the policy.json of the V3 API: "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", "identity:list_projects": "rule:admin_required and domain_id:%(domain_id)s", ... "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", This specify that if an admin user of a domain ask for GET /v3/users /<domain-id>/ then this later will only work if token was scoped in the this domain but not if it was scoped in a project in that domain. A patch is coming soon that hopefully will clarify more. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1338550/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp