The policy.yaml documented here differs from what is generated with 'tox -e genpolicy': https://docs.openstack.org/placement/latest/configuration/sample-policy.html The version on the web has all policy commented out. This feels like it is not a package issue at this point. Here is the diff: https://paste.ubuntu.com/p/BVPMzMNwkJ/ Pasting the diff here as well (formatting may not be great): --- /tmp/policy.yaml 2022-08-29 16:54:11.582341611 +0000 +++ /etc/placement/policy.yaml 2021-10-07 15:21:07.000000000 +0000 @@ -16,16 +16,7 @@ # Placement API policies are introducing new default roles with # scope_type capabilities. Old policies are deprecated and silently # going to be ignored in the placement 6.0.0 (Xena) release. -# WARNING: A rule name change has been identified. -# This may be an artifact of new rules being -# included which require legacy fallback -# rules to ensure proper policy behavior. -# Alternatively, this may just be an alias. -# Please evaluate on a case by case basis -# keeping in mind the format for aliased -# rules is: -# "old_rule_name": "new_rule_name". -# "rule:admin_api": "rule:system_admin_api" +"rule:admin_api": "rule:system_admin_api" # Default rule for System level read only APIs. #"system_reader_api": "role:reader and system_scope:all" @@ -36,16 +27,7 @@ # Placement API policies are introducing new default roles with # scope_type capabilities. Old policies are deprecated and silently # going to be ignored in the placement 6.0.0 (Xena) release. -# WARNING: A rule name change has been identified. -# This may be an artifact of new rules being -# included which require legacy fallback -# rules to ensure proper policy behavior. -# Alternatively, this may just be an alias. -# Please evaluate on a case by case basis -# keeping in mind the format for aliased -# rules is: -# "old_rule_name": "new_rule_name". -# "rule:admin_api": "rule:system_reader_api" +"rule:admin_api": "rule:system_reader_api" # Default rule for Project level read only APIs. #"project_reader_api": "role:reader and project_id:%(project_id)s" @@ -56,16 +38,7 @@ # Placement API policies are introducing new default roles with # scope_type capabilities. Old policies are deprecated and silently # going to be ignored in the placement 6.0.0 (Xena) release. -# WARNING: A rule name change has been identified. -# This may be an artifact of new rules being -# included which require legacy fallback -# rules to ensure proper policy behavior. -# Alternatively, this may just be an alias. -# Please evaluate on a case by case basis -# keeping in mind the format for aliased -# rules is: -# "old_rule_name": "new_rule_name". -# "rule:admin_api": "rule:project_reader_api" +"rule:admin_api": "rule:project_reader_api" # Default rule for System+Project read only APIs. #"system_or_project_reader": "rule:system_reader_api or rule:project_reader_api" @@ -77,16 +50,7 @@ # Placement API policies are introducing new default roles with # scope_type capabilities. Old policies are deprecated and silently # going to be ignored in the placement 6.0.0 (Xena) release. -# WARNING: A rule name change has been identified. -# This may be an artifact of new rules being -# included which require legacy fallback -# rules to ensure proper policy behavior. -# Alternatively, this may just be an alias. -# Please evaluate on a case by case basis -# keeping in mind the format for aliased -# rules is: -# "old_rule_name": "new_rule_name". -# "rule:admin_api": "rule:system_or_project_reader" +"rule:admin_api": "rule:system_or_project_reader" # List resource providers. # GET /resource_providers @@ -254,3 +218,4 @@ # POST /reshaper # Intended scope(s): system #"placement:reshaper:reshape": "rule:system_admin_api" +