<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <pre>Dear Keystone Experts,</pre>
    <pre>
</pre>
    <pre>I have an issue with the openstack client in stage (using Rocky), using a user 'fsc' without 'admin' role and with password auth.</pre>
    <pre>'openstack trust create/show' works.</pre>
    <pre>'openstack trust list' is denied.</pre>
    <pre>But keystone policy.json says:
</pre>
    <pre>    "identity:create_trust": "user_id:%(trust.trustor_user_id)s",
    "identity:list_trusts": "",
    "identity:list_roles_for_trust": "",
    "identity:get_role_for_trust": "",
    "identity:delete_trust": "",
    "identity:get_trust": "",
</pre>
    <pre>So "openstack list trusts" is always allowed.</pre>
    <pre>In keystone log (I replaced the uid's by names in the ouput below) I see that 'identity:list_trusts()' was actually granted
but just after that a <u><b>admin_required()</b></u> is getting checked and fails... I wonder why...
</pre>
    <pre>There is also a flag<b> is_admin_project=True</b> in the rbac creds for some reason...

Any clue? Many thanks in advance!


Cheers
Francois


</pre>
    <pre>#openstack --os-cloud stage-fsc trust create --project fscproject --role creator fsc fsc
#=> fail because of the names and policy rules, but using uid's it works
openstack --os-cloud stage-fsc trust create --project aeac4b07d8b144178c43c65f29fa9dac --role 085180eeaf354426b01908cca8e82792 3e9b1a4fe95048a3b98fb5abebd44f6c 3e9b1a4fe95048a3b98fb5abebd44f6c
+--------------------+----------------------------------+
| Field              | Value                            |
+--------------------+----------------------------------+
| deleted_at         | None                             |
| expires_at         | None                             |
| id                 | e74bcdf125e049c69c2e0ab1b182df5b |
| impersonation      | False                            |
| project_id         | fscproject |
| redelegation_count | 0                                |
| remaining_uses     | None                             |
| roles              | creator                          |
| trustee_user_id    | fsc |
| trustor_user_id    | fsc |
+--------------------+----------------------------------+

openstack --os-cloud stage-fsc trust show e74bcdf125e049c69c2e0ab1b182df5b
+--------------------+----------------------------------+
| Field              | Value                            |
+--------------------+----------------------------------+
| deleted_at         | None                             |
| expires_at         | None                             |
| id                 | e74bcdf125e049c69c2e0ab1b182df5b |
| impersonation      | False                            |
| project_id         | fscproject |
| redelegation_count | 0                                |
| remaining_uses     | None                             |
| roles              | creator                          |
| trustee_user_id    | fsc |
| trustor_user_id    | fsc |
+--------------------+----------------------------------+

#this fails:
openstack --os-cloud stage-fsc trust list
<b>You are not authorized to perform the requested action: admin_required. (HTTP 403)</b>







 </pre>
  </body>
</html>