roles接口请求报错403后,其他页面401无法访问
Bug #2049807 reported by
liqi
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
skyline apiserver |
Fix Released
|
Undecided
|
Wu Wenxiang |
Bug Description
使用普通用户角色“
其他页面,像云主机、
{
"error": {
"code": 403,
"message": "You are not authorized to perform the requested action: identity:
"title": "Forbidden"
}
}
如附件图示
Changed in skyline-apiserver: | |
status: | New → Fix Released |
To post a comment you must log in.
This issue also confuse me.
Symptom: ------- ------- ------- -------
-------
1. Login Horizon with common user A, list servers OK.
2. Login Skyline with same common user A, could list the nova servers, F12 show no http requests sent from network, however webpage show 401, do not allow to list servers
Root Cause Analysis: ------- ------- ------- ------- /docs.openstack .org/nova/ 2023.2/ configuration/ sample- policy. html
-------
1. Horizon don't know whether a user could do an action at a resource or not. It simply pass request to recording service, & service (Nova) do the check by its policy file. So it works.
2. Skyline check the action by itself, with /policy API. If you do not configure it, the default value follows community, like: https:/
How to fix: ------- ------- ------- ------- reader_ api": "role:reader and project_ id:%(project_ id)s"
-------
1. By default, list servers need "project_
2. You should config your customized role, for example: member, _member_, projectAdmin, etc, create implied reader role. "openstack implied role create --implied-role member projectAdmin", or "openstack implied role create --implied-role reader _member_"
# openstack implied role list ------- ------- ------- ------- +------ ------- ----+-- ------- ------- ------- ------- ----+-- ------- ------- ---+ ------- ------- ------- ------- +------ ------- ----+-- ------- ------- ------- ------- ----+-- ------- ------- ---+ 2a7b02bf39154d1 10 | admin | 4376fc38ba6a44e 794671af0a9c60e f5 | member | 794671af0a9c60e f5 | member | e081e01b7a4345b c85f8d3210b9536 2d | reader | ebb69b61d121130 31 | projectAdmin | 4376fc38ba6a44e 794671af0a9c60e f5 | member | 4bf60581869c048 de | _member_ | e081e01b7a4345b c85f8d3210b9536 2d | reader | ------- ------- ------- ------- +------ ------- ----+-- ------- ------- ------- ------- ----+-- ------- ------- ---+
+------
| Prior Role ID | Prior Role Name | Implied Role ID | Implied Role Name |
+------
| fe21c5a0d17149c
| 4376fc38ba6a44e
| bee8fa36149e434
| 77cec9fc7e764bd
+------