2021-10-04 12:43:38 |
Jan Wasilewski |
description |
I upgraded OpenStack cloud from rocky to stein and tried to setup new policies as described in release documentation. However I cannot retrieve some information, i.e. command defined in topic.
When executed:
openstack role assignment list --names --system all
output is:
You are not authorized to perform the requested action: identity:list_role_assignments. (HTTP 403) (Request-ID: req-6a27ecd6-7cef-41e4-8470-cf1037f383ac)
That is visible in log print: https://paste.opendev.org/show/809759/
Policy.yaml file is here: https://paste.opendev.org/show/809760/
Warning message is incorrect and says:
2021-10-04 14:20:40.378 1363 WARNING py.warnings [req-6a27ecd6-7cef-41e4-8470-cf1037f383ac f42df418fd404d04b9bdabf2f1b49fd9 509b380257a943b6809c4826e6be372c - default default] /usr/lib/python3/dist-packages/oslo_policy/policy.py:679: UserWarning: Policy "identity:get_mapping":"rule:admin_required" was deprecated in S in favor of "identity:list_mappings":"role:reader and system_scope:all". Reason:
When I removed "identity:get_mapping" from policy file, warning message is like here: https://paste.opendev.org/show/809761/
And when I setup this rule to the value proposed in warning message, I get warning like here: https://paste.opendev.org/show/809762/
So it looks like a problem is looping and doesn't make a sense.
Besides of that it is incorrect that I cannot retrieve output from this command, as my reader user is system all scoped and I should be able to retrieve role assignment list.
I'm trying to get this for user jwasilewski:
openstack role assignment list --names --system all
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| admin | | Adm.Admin@Default | | | all | False |
| reader | jwasilewski@Default | | | | all | False |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
But I'm not sure why 'system_scope': None is defined in logs. Seems it is incorrect behavior. |
I upgraded OpenStack cloud from rocky to stein and tried to setup new policies as described in release documentation. However I cannot retrieve some information, i.e. command defined in topic.
When executed:
openstack role assignment list --names --system all
output is:
You are not authorized to perform the requested action: identity:list_role_assignments. (HTTP 403) (Request-ID: req-6a27ecd6-7cef-41e4-8470-cf1037f383ac)
That is visible in log print: https://paste.opendev.org/show/809759/
Policy.yaml file is here: https://paste.opendev.org/show/809760/
Warning message is incorrect and says:
2021-10-04 14:20:40.378 1363 WARNING py.warnings [req-6a27ecd6-7cef-41e4-8470-cf1037f383ac f42df418fd404d04b9bdabf2f1b49fd9 509b380257a943b6809c4826e6be372c - default default] /usr/lib/python3/dist-packages/oslo_policy/policy.py:679: UserWarning: Policy "identity:get_mapping":"rule:admin_required" was deprecated in S in favor of "identity:list_mappings":"role:reader and system_scope:all". Reason:
When I removed "identity:get_mapping" from policy file, warning message is like here: https://paste.opendev.org/show/809761/
And when I setup this rule to the value proposed in warning message, I get warning like here: https://paste.opendev.org/show/809762/
So it looks like a problem is looping and doesn't make a sense.
Besides of that it is incorrect that I cannot retrieve output from this command, as my reader user is system all scoped and I should be able to retrieve role assignment list.
I'm trying to get this for user jwasilewski:
openstack role assignment list --names --system all
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| admin | | Adm.Admin@Default | | | all | False |
| reader | jwasilewski@Default | | | | all | False |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
But I'm not sure why 'system_scope': None is defined in logs. Seems it is incorrect behavior.
Keystone packages version:
dpkg -l | grep keystone
ii keystone 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Daemons
ii keystone-common 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Common files
ii python3-keystone 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Python 3 library
ii python3-keystoneauth1 3.13.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 3.x
ii python3-keystoneclient 1:3.19.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 3.x
ii python3-keystonemiddleware 6.0.0-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 3.x
OS version:
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" |
|