I am trying to create roles for my openstack installation. One of the first things I've tried is to allow all users to access a resource in my policy file, "identity:list_roles" for example. But no matter what I tried it will always say:
You are not authorized to perform the requested action, admin_required. (HTTP 403)
I've tried the following:
is_admin:0
True:%(user.enabled)s
True
not is_admin:1
role:_member_
and match more... is it even possible?
Thanks!
Well, after lots of testing and googling the answer is no, it is not possible.
To list roles, you mast be an admin in keystone v2 api and also within the same scope in v3.
Also I was testing on the v2 api while posting this question. V2 ignores the policy file, it has it's policies hard coded.