steps:

1) obtain an auth-token

curl -H 'Content-Type: application/json' -d '{ "auth": {"tenantName": "Development", "passwordCredentials": {"username": "jenkins", "password": "*****"} } }' http://10.0.80.15:5000/v2.0/tokens
"access": {"token": {"expires": "2013-02-07T15:23:49Z", "id": "e3d266a113a64558801537830b01001d", "tenant": {"enabled": true, "description": "The developer group", "name": "Development", "id": "62b31fa8598a443487d99a79b6ba5547"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.0.80.15:8774/v2/62b31fa8598a443487d99a79b6ba5547", "region": "nyc02", "internalURL": "http://10.0.80.15:8774/v2/62b31fa8598a443487d99a79b6ba5547", "id": "bb7fa36c03bf48589b87109509bfacb0", "publicURL": "http://10.0.80.15:8774/v2/62b31fa8598a443487d99a79b6ba5547"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://10.0.80.15:9292/v1", "region": "nyc02", "internalURL": "http://10.0.80.15:9292/v1", "id": "a1560797b76d45209af5820c72edf0c3", "publicURL": "http://10.0.80.15:9292/v1"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://10.0.80.15:8776/v1/62b31fa8598a443487d99a79b6ba5547", "region": "nyc02", "internalURL": "http://10.0.80.15:8776/v1/62b31fa8598a443487d99a79b6ba5547", "id": "214577425ac8411ea114f5d0285d2814", "publicURL": "http://10.0.80.15:8776/v1/62b31fa8598a443487d99a79b6ba5547"}], "endpoints_links": [], "type": "volume", "name": "volume"}, {"endpoints": [{"adminURL": "http://10.0.80.15:8773/services/Admin", "region": "nyc02", "internalURL": "http://10.0.80.15:8773/services/Cloud", "id": "8d0f2bbbd729465eaf92964c728a60db", "publicURL": "http://10.0.80.15:8773/services/Cloud"}], "endpoints_links": [], "type": "ec2", "name": "ec2"}, {"endpoints": [{"adminURL": "http://10.0.80.15:8080/", "region": "nyc02", "internalURL": "http://10.0.80.15:8080/v1/AUTH_62b31fa8598a443487d99a79b6ba5547", "id": "8ab8b4cddd224f8facba3bcaf909b323", "publicURL": "http://10.0.80.15:8080/v1/AUTH_62b31fa8598a443487d99a79b6ba5547"}], "endpoints_links": [], "type": "object-store", "name": "swift"}, {"endpoints": [{"adminURL": "http://10.0.80.15:35357/v2.0", "region": "nyc02", "internalURL": "http://10.0.80.15:5000/v2.0", "id": "1e030df055e54aa2bde029f30a50c79d", "publicURL": "http://10.0.80.15:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "jenkins", "roles_links": [], "id": "f80bbe2743b74f92a85ba61e8f93e62c", "roles": [], "name": "jenkins"}}}

2) attempt to list servers for a tenant

curl -v -H 'X-Auth-Token: e3d266a113a64558801537830b01001d' 

Expected:

A list of servers for the Development tenant.

Actual:

Reply from server:
http://10.0.80.15:8774/v2/2201915216d143038d65f61e323caf15/servers
* About to connect() to 10.0.80.15 port 8774 (#0)
*   Trying 10.0.80.15...
* connected
* Connected to 10.0.80.15 (10.0.80.15) port 8774 (#0)
> GET /v2/2201915216d143038d65f61e323caf15/servers HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
> Host: 10.0.80.15:8774
> Accept: */*
> X-Auth-Token: e3d266a113a64558801537830b01001d
> 
< HTTP/1.1 500 Internal Server Error
< Content-Length: 128
< Content-Type: application/json; charset=UTF-8
< Date: Wed, 06 Feb 2013 15:24:38 GMT
< 
* Connection #0 to host 10.0.80.15 left intact
{"computeFault": {"message": "The server has either erred or is incapable of performing the requested operation.", "code": 500}}* Closing connection #0

Stack trace:

2013-02-05 16:01:31 6291 ERROR nova.api.openstack [-] Caught error: u'project_id'
2013-02-05 16:01:31 6291 TRACE nova.api.openstack Traceback (most recent call last):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/openstack/__init__.py", line 78, in __call__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return req.get_response(self.application)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1053, in get_response
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     application, catch_exc_info=False)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1022, in call_application
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     app_iter = application(self.environ, start_response)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 159, in __call__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return resp(environ, start_response)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/keystone/middleware/auth_token.py", line 278, in __call__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return self.app(env, start_response)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 147, in __call__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     resp = self.call_func(req, *args, **self.kwargs)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 208, in call_func
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return self.func(req, *args, **kwargs)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/auth.py", line 117, in __call__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     service_catalog=service_catalog)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/context.py", line 70, in __init__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     self.is_admin = policy.check_is_admin(self.roles)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/policy.py", line 115, in check_is_admin
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     exception.PolicyNotAuthorized, action=action)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 125, in enforce
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     if not _BRAIN.check(match_list, target_dict, credentials_dict):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
                                                                                                                                                      1,1           Top
2013-02-05 16:01:31 6291 ERROR nova.api.openstack [-] Caught error: u'project_id'
2013-02-05 16:01:31 6291 TRACE nova.api.openstack Traceback (most recent call last):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/openstack/__init__.py", line 78, in __call__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return req.get_response(self.application)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1053, in get_response
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     application, catch_exc_info=False)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1022, in call_application
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     app_iter = application(self.environ, start_response)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 159, in __call__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return resp(environ, start_response)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/keystone/middleware/auth_token.py", line 278, in __call__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return self.app(env, start_response)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 147, in __call__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     resp = self.call_func(req, *args, **self.kwargs)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 208, in call_func
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return self.func(req, *args, **kwargs)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/auth.py", line 117, in __call__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     service_catalog=service_catalog)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/context.py", line 70, in __init__
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     self.is_admin = policy.check_is_admin(self.roles)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/policy.py", line 115, in check_is_admin
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     exception.PolicyNotAuthorized, action=action)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 125, in enforce
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     if not _BRAIN.check(match_list, target_dict, credentials_dict):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 300, in _check_generic
2013-02-05 16:01:31 6291 TRACE nova.api.openstack     match = match % target_dict
2013-02-05 16:01:31 6291 TRACE nova.api.openstack KeyError: u'project_id'

This may be a config problem on my end, but regardless this error is pretty obfuscated. I've tracked it down to an empty target_dict being passed in to _check_generic via the policy.is_admin check. It does directly seem to be related to my policy.json for the nova service, which has the following default_rule:

    "admin_or_owner":  [["role:admin"], ["project_id:%(project_id)s"]],
    "default": [["rule:admin_or_owner"]],

Changing project_id:%(project_id)s to any other key causes that to be raised as the KeyError. Removing the secondary part of admin_or_owner causes:

ERROR: Policy doesn't allow compute:get_instance_faults to be performed. (HTTP 403) (Request-ID: req-b61ab676-a9c4-4530-916b-73f5f33211b2)

My full policy.json:

{
    "admin_or_owner":  [["role:admin"], ["project_id:%(project_id)s"]],
    "default": [["rule:admin_or_owner"]],


    "compute:create": [],
    "compute:create:attach_network": [],
    "compute:create:attach_volume": [],
    "compute:get_all": [],


    "admin_api": [["role:admin"]],
    "compute_extension:accounts": [["rule:admin_api"]],
    "compute_extension:admin_actions": [["rule:admin_api"]],
    "compute_extension:admin_actions:pause": [["rule:admin_or_owner"]],
    "compute_extension:admin_actions:unpause": [["rule:admin_or_owner"]],
    "compute_extension:admin_actions:suspend": [["rule:admin_or_owner"]],
    "compute_extension:admin_actions:resume": [["rule:admin_or_owner"]],
    "compute_extension:admin_actions:lock": [["rule:admin_api"]],
    "compute_extension:admin_actions:unlock": [["rule:admin_api"]],
    "compute_extension:admin_actions:resetNetwork": [["rule:admin_api"]],
    "compute_extension:admin_actions:injectNetworkInfo": [["rule:admin_api"]],
    "compute_extension:admin_actions:createBackup": [["rule:admin_or_owner"]],
    "compute_extension:admin_actions:migrateLive": [["rule:admin_api"]],
    "compute_extension:admin_actions:migrate": [["rule:admin_api"]],
    "compute_extension:aggregates": [["rule:admin_api"]],
    "compute_extension:certificates": [],
    "compute_extension:cloudpipe": [["rule:admin_api"]],
    "compute_extension:console_output": [],
    "compute_extension:consoles": [],
    "compute_extension:createserverext": [],
    "compute_extension:deferred_delete": [],
    "compute_extension:disk_config": [],
    "compute_extension:extended_server_attributes": [["rule:admin_api"]],
    "compute_extension:extended_status": [],
    "compute_extension:flavorextradata": [],
    "compute_extension:flavorextraspecs": [],
    "compute_extension:flavormanage": [["rule:admin_api"]],
    "compute_extension:floating_ip_dns": [],
    "compute_extension:floating_ip_pools": [],
    "compute_extension:floating_ips": [],
    "compute_extension:hosts": [["rule:admin_api"]],
    "compute_extension:keypairs": [],
    "compute_extension:multinic": [],
    "compute_extension:networks": [["rule:admin_api"]],
    "compute_extension:quotas": [],
    "compute_extension:rescue": [],
    "compute_extension:security_groups": [],
    "compute_extension:server_action_list": [["rule:admin_api"]],
    "compute_extension:server_diagnostics": [["rule:admin_api"]],
    "compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],
    "compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],
    "compute_extension:users": [["rule:admin_api"]],
    "compute_extension:virtual_interfaces": [],
    "compute_extension:virtual_storage_arrays": [],
    "compute_extension:volumes": [],
    "compute_extension:volumetypes": [],


    "volume:create": [],
    "volume:get_all": [],
    "volume:get_volume_metadata": [],
    "volume:get_snapshot": [],
    "volume:get_all_snapshots": [],


    "network:get_all_networks": [],
    "network:get_network": [],
    "network:delete_network": [],
    "network:disassociate_network": [],
    "network:get_vifs_by_instance": [],
    "network:allocate_for_instance": [],
    "network:deallocate_for_instance": [],
    "network:validate_networks": [],
    "network:get_instance_uuids_by_ip_filter": [],

    "network:get_floating_ip": [],
    "network:get_floating_ip_pools": [],
    "network:get_floating_ip_by_address": [],
    "network:get_floating_ips_by_project": [],
    "network:get_floating_ips_by_fixed_address": [],
    "network:allocate_floating_ip": [],
    "network:deallocate_floating_ip": [],
    "network:associate_floating_ip": [],
    "network:disassociate_floating_ip": [],

    "network:get_fixed_ip": [],
    "network:add_fixed_ip_to_instance": [],
    "network:remove_fixed_ip_from_instance": [],
    "network:add_network_to_project": [],
    "network:get_instance_nw_info": [],

    "network:get_dns_domains": [],
    "network:add_dns_entry": [],
    "network:modify_dns_entry": [],
    "network:delete_dns_entry": [],
    "network:get_dns_entries_by_address": [],
    "network:get_dns_entries_by_name": [],
    "network:create_private_dns_domain": [],
    "network:create_public_dns_domain": [],
    "network:delete_dns_domain": []
}