Cases of role _member_ across OSA may need updating to member
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Fix Released
|
High
|
Dmitriy Rabotyagov |
Bug Description
Keystone introduced default roles of member, reader and admin in Rocky. Service policy has gradually been adopting these roles, and with enforcement switching on for Nova in 2023.1 they become more important. Historically it appears that OSA created a default '_member_' role, but when new policy is enabled this isn't sufficient for users to perform basic operations.
A workaround for existing deployments using '_member_' appears to be to create an 'implied role' in Keystone linking '_member_' to 'member', but in order for fresh deployments to work out of the box it appears that a number of OSA roles require cleanup to use the new default role name:
The following codesearch points at repos which might require attention: https:/
Changed in openstack-ansible: | |
assignee: | nobody → Dmitriy Rabotyagov (noonedeadpunk) |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in openstack-ansible: | |
status: | Confirmed → In Progress |
Changed in openstack-ansible: | |
status: | In Progress → Fix Released |
I upgraded OSA from 26.1.1 -> 27.0.1 and encoured the issue where it started giving errors like "Policy doesn't allow os_compute_ api:servers: detail to be performed. (HTTP 403) (Request-ID: xx-xx-xx)"
The fix was to change the role of the user from _member_ to member (without the underscores). Validated by logging as a user with access to two projects, where the one wilth _member_ role gives error and the one with just "member" does not.