Reputation: 175
I set up keystone v3, and then created a domain dom1
, a user adm1
and grant this user to admin role. Authenticate this user with domain scope. Then create a project under dom1
. I tried to list projects with the same token that created the project. All I got is "You are not authorized to perform the requested action: identity:list_projects"
.
If I take out the rule domain_id:%(domain_id)s
in policy.v3cloudsample.json for "identity:list_projects"
, everything works well.
Why cannot I list projects with the rule domain_id:%(domain_id)s
?
Thanks.
Upvotes: 3
Views: 5683
Reputation: 175
According to OpenStack API document, the API URL of listing projects must be filtered with domain ID. So in policy,json, domain_id:%(domain_id)s
of identity:list_projects
means the domain ID in URL filter must be equal to the domain ID that the token is scoped.
Upvotes: 1