[stein] Cannot get openstack role assignment list --names --system all output when all is fulfilled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
New
|
Undecided
|
Unassigned |
Bug Description
I upgraded OpenStack cloud from rocky to stein and tried to setup new policies as described in release documentation. However I cannot retrieve some information, i.e. command defined in topic.
When executed:
openstack role assignment list --names --system all
output is:
You are not authorized to perform the requested action: identity:
That is visible in log print: https:/
Policy.yaml file is here: https:/
Warning message is incorrect and says:
2021-10-04 14:20:40.378 1363 WARNING py.warnings [req-6a27ecd6-
When I removed "identity:
And when I setup this rule to the value proposed in warning message, I get warning like here: https:/
So it looks like a problem is looping and doesn't make a sense.
Besides of that it is incorrect that I cannot retrieve output from this command, as my reader user is system all scoped and I should be able to retrieve role assignment list.
I'm trying to get this for user jwasilewski:
openstack role assignment list --names --system all
+------
| Role | User | Group | Project | Domain | System | Inherited |
+------
| admin | | Adm.Admin@Default | | | all | False |
| reader | jwasilewski@Default | | | | all | False |
+------
But I'm not sure why 'system_scope': None is defined in logs. Seems it is incorrect behavior.
Keystone packages version:
dpkg -l | grep keystone
ii keystone 2:15.0.
ii keystone-common 2:15.0.
ii python3-keystone 2:15.0.
ii python3-
ii python3-
ii python3-
OS version:
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
description: | updated |
Hi Jan,
It looks like the policy you're failing is:
"identity: list_role_ assignments" : "(role:reader and system_scope:all) or (role:reader and domain_ id:%(target. domain_ id)s)"
Are you using a system-scoped token to make the request?
You can find more information on the various personas and how to use them in keystone's documentation:
https:/ /docs.openstack .org/keystone/ latest/ admin/service- api-protection. html