Public bug reported: I use identity v3.
I have a domain and two projects inside. I also have a user in this domain who has admin role on the domain. I do "openstack project list --domain <my domain uuid>" and get "You are not authorized to perform the requested action: identity:list_projects (HTTP 403)". the policy for identity:list_projects says "cloud admin or rule:admin_and_matching_domain_id". "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s". the issue is with domain_id probably, because once I remove it (e.g. "admin_and_matching_domain_id": "rule:admin_required"), it works. I tried also with admin role on both domain's projects. No success. Following link mentions the issue but trying to hardcode my domain uuid instead of "%(domain_id)s" did not work for me - https://ask.openstack.org/en/question/69418/not-authorized-to-list-projects-with-keystone-v3/ I also do the projects list request with domain-scoped token via openstack4j java library. same result. Also, I saw some guy who tried the request via pure REST call (GET /v3/projects) and it did not work until he added the domain_id on request (GET /v3/projects?domain_id=...). I did not try it by myself. I use RDO NEWTON release. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1732502 Title: project-list command does not work for a user with admin role on domain Status in OpenStack Identity (keystone): New Bug description: I use identity v3. I have a domain and two projects inside. I also have a user in this domain who has admin role on the domain. I do "openstack project list --domain <my domain uuid>" and get "You are not authorized to perform the requested action: identity:list_projects (HTTP 403)". the policy for identity:list_projects says "cloud admin or rule:admin_and_matching_domain_id". "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s". the issue is with domain_id probably, because once I remove it (e.g. "admin_and_matching_domain_id": "rule:admin_required"), it works. I tried also with admin role on both domain's projects. No success. Following link mentions the issue but trying to hardcode my domain uuid instead of "%(domain_id)s" did not work for me - https://ask.openstack.org/en/question/69418/not-authorized-to-list-projects-with-keystone-v3/ I also do the projects list request with domain-scoped token via openstack4j java library. same result. Also, I saw some guy who tried the request via pure REST call (GET /v3/projects) and it did not work until he added the domain_id on request (GET /v3/projects?domain_id=...). I did not try it by myself. I use RDO NEWTON release. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1732502/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp