Comment 2 for bug 2072639

The reader role you are referring to is part of the Consistent and Secure Default RBAC rework[^1] (or SRBAC for short) and the new default role model.

The adoption of SRBAC is individual to each OpenStack service (e.g. Nova, Cinder, etc.). Keystone only provides the foundation but cannot enforce policies on foreign services, such as Nova, itself. Hence, this is unlikely a bug in Keystone but either a bug in Nova or (most likely) a mismatch of your Nova version or policy configuration.

Good call attaching your policy file! It clearly shows rules from before SRBAC was introduced to Nova.
Note how "os_compute_api:servers:create: rule:admin_or_owner" and "admin_or_owner: is_admin:True or project_id:%(project_id)s" only look at project relationship but not at the role (except for admin).

This is different in today's implementation of Nova[^2] where the role is checked to be "member" additionally.

You can try the following things:

a) Enable enforce_new_defaults and delete your policy.yaml for Nova, so that Nova falls back to its in-code policy defaults.

b) Build a new policy.yaml file based on oslopolicy-sample-generator[^3]

c) Delete your policy.yaml and generate a new policy file using oslopolicy-policy-generator[^4] (note that oslopolicy-policy-generator will use the current Nova configuration so you will really have to delete your policy file beforehand so that it outputs the in-code fallbacks!)

Hope that helps!

---

[^1]: https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html

[^2]: https://docs.openstack.org/nova/latest/configuration/policy.html

[^3]: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-sample-generator.html

[^4]: https://docs.openstack.org/oslo.policy/latest/cli/oslopolicy-policy-generator.html