Cannot list group members with policy.v3cloudsample.json

Version: Mitaka

I updated my /etc/keystone/policy.json to policy.v3cloudsample.json [1]. Most functions work as expected.

However, when I wanted to list members in a group as a domain admin, an error occurred: "You are not authorized to perform the requested action: identity:list_users_in_group (HTTP 403)"

The reproduce steps are:

As cloud admin:
- openstack domain create taiwan # Assume the id of "taiwan" is "18eaa46db5324a129bac0cdbc48f9512"
- TAIWAN_DOMAIN_ID=18eaa46db5324a129bac0cdbc48f9512
- openstack user create --domain $TAIWAN_DOMAIN_ID --password 5ecret taiwan-president
- openstack role add --user taiwan-president --domain $TAIWAN_DOMAIN_ID admin
As taiwan-president:
- openstack group create --domain $TAIWAN_DOMAIN_ID indigenous
- openstack user create --domain $TAIWAN_DOMAIN_ID margaret
- openstack group add user --group-domain $TAIWAN_DOMAIN_ID --user-domain $TAIWAN_DOMAIN_ID indigenous margaret
- openstack user list --group indigenous --domain $TAIWAN_DOMAIN_ID

The last command will generate the 403 error.

The rule for "identity:list_users_in_group" is "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id". I can successfully list group members if I changed it to "rule:admin_required". But it's just a workaround.

I can reproduce this issue in devstack.

[1] https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json