when using non-admin credentials, openstack user show works if you specify a user id:
# openstack user show 631bbab78e33e554bc6c7fd53071c6e046fd37680b1b154261bd6183b123e8b0
+-----------+------------------------------------------------------------------+
| Field | Value |
+-----------+------------------------------------------------------------------+
| domain_id | default |
| id | 631bbab78e33e554bc6c7fd53071c6e046fd37680b1b154261bd6183b123e8b0 |
| name | arc1_dep |
+-----------+------------------------------------------------------------------+
but fails if you specify a user name and domain name:
# openstack user show --domain Default arc1_dep
ERROR: openstack You are not authorized to perform the requested action: identity:list_users (HTTP 403) (Request-ID: req-6e3ab4fc-8279-4608-834e-40104397818d)
This is because when you specify user id, openstackclient can make a GET /v3/users/{user_id} call, which policy allows for non-admins as long as the user_id matches their token, but if you specify the name openstackclient can't make that call because it doesn't know the user_id, so it makes a GET /v3/users call instead, which policy only allows for admins.
I think we could fix this by pulling the user_id from the token if/when the user and domain names specified on the openstack user show invocation match the user and domain names of the token, and using that to make the GET /v3/users/{user_id} call instead of relying on GET/v3/users. We would still have to rely on GET /v3/users as today when the names don't match, of course... and it would be right to return a 403 forbidden error when the names don't match, so that's fine.
The same issue (and possible solution) also applies to projects