Hi folks,

I've run into a wall with making openstack domain auth working, and I dont know where to get help, so I am trying here. I've created a question on:

https://ask.openstack.org/en/question/98429/project-specific-admin-unable-to-list-users-or-use-horizon/

..but no-one seems to be able to help.

Since I wrote that, I've gotten as far as creating a working cloud-wide admin(the policy trigger for cloud_admin matching against domain_id, didnt seem to work for the default domain...?), and that user is now working fine as super-mega-admin.

But my old admin user, that has admin rights only in the default domain, admin project, cant list users, or projects, in the default domain.

And sureley he should be able to, with the rules:

"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s",
"identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id",

I've tried to find comprehensive and up2date references on how to read the policy.json syntax, but no success so I am unsure on how to interpret the rule exactly though.

I tried changing to:

"admin_and_matching_domain_id": "rule:admin_required and domain_id:%(target.domain_id)s",

after looking at the rule for:

"identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s",

But it didnt help. During the failure, I can see keystone logging:

2016-11-01 22:16:24.521 4824 INFO keystone.common.wsgi [req-46e3301f-f234-434b-a013-5aa2297b6119 admin_User admin_Prj - default default] GET http://172.16.12.100:35357/v3/projects/admin_Prj

(where admin_Prj/User is the UUID's regexped)

What is wrong? Where can I learn how to do this???