<div dir="ltr">Hello,<div><br></div><div>I am preparing policies configuration before an upgrade to the newer OpenStack release(Stein) and I would like to create a group of System Administrators to be able to get i.e. a list of all projects in the OpenStack cloud. I was following a description from this page [1] but it seems my admin user is able to get only a list of projects where it is directly added(i.e. with member role, reader role, or admin role). I am just wondering if we can list all of the OpenStack projects by System Administrator user without role reader added to every single project? </div><div><br></div><div>To summarize what steps were done so far:</div><div>- Original policy.json file which was used is here [2]</div><div>- Only one option was changed so far: </div><div>from:</div><div><pre style="line-height:16.25px;margin-top:0px;margin-bottom:0px;padding:5px 0px;font-family:"Bitstream Vera Sans Mono",monospace;font-size:13px;color:rgb(0,0,0)">"identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id",</pre></div><div>to:</div><div><pre style="line-height:16.25px;margin-top:0px;margin-bottom:0px;padding:5px 0px;font-family:"Bitstream Vera Sans Mono",monospace;font-size:13px;color:rgb(0,0,0)">"identity:list_projects": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)",</pre></div><div><pre class="gmail-moz-quote-pre"><span style="font-family:Arial,Helvetica,sans-serif">- Output for command: </span>openstack role assignment list --system all --role member --role reader</pre><pre class="gmail-moz-quote-pre">+----------------------------------+------+----------------------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+------+----------------------------------+---------+--------+--------+-----------+
| e39e97c23bfe45d1a2f9689b6985f990 | | a0841b83f583477887219f27dd95477b | | | all | False |
+----------------------------------+------+----------------------------------+---------+--------+--------+-----------+
<font face="arial, sans-serif">Shows only role reader, not role member, which is a bit strange if we compare with linked page above. But we have this in implied roles:
</font>openstack implied role list
+----------------------------------+-----------------+----------------------------------+-------------------+
| Prior Role ID | Prior Role Name | Implied Role ID | Implied Role Name |
+----------------------------------+-----------------+----------------------------------+-------------------+
| a3c7bb5d06884b048c1bfb4403b82b42 | admin | 3f20cb7be46346a8b2ba65c4684d50a3 | member |
| a3c7bb5d06884b048c1bfb4403b82b42 | admin | 9fe2ff9ee4384b1894a90878d3e92bab | <span class="gmail-moz-txt-underscore"><span class="gmail-moz-txt-tag">_</span>member<span class="gmail-moz-txt-tag">_</span></span> |
| 3f20cb7be46346a8b2ba65c4684d50a3 | member | e39e97c23bfe45d1a2f9689b6985f990 | reader |
+----------------------------------+-----------------+----------------------------------+-------------------+
<font face="arial, sans-serif">- Admin roles are grouped in a group ATM.Admin:</font> openstack role assignment list --names --system all --role admin:
+-------+---------------------+-------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+-------+---------------------+-------------------+---------+--------+--------+-----------+
| admin | | ATM.Admin@Default | | | all | False |
| admin | admin@Default | | | | all | False |
| admin | jwasilewski@Default | | | | all | False |
+-------+---------------------+-------------------+---------+--------+--------+-----------+
<font face="arial, sans-serif">Just to be sure that IDs are linked, we can check it here:
</font>openstack role assignment list --system all --role admin
+----------------------------------+----------------------------------+----------------------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+----------------------------------+----------------------------------+---------+--------+--------+-----------+
| a3c7bb5d06884b048c1bfb4403b82b42 | | a0841b83f583477887219f27dd95477b | | | all | False |
| a3c7bb5d06884b048c1bfb4403b82b42 | 19416fe5a2da45c88eb66c3aaf856c73 | | | | all | False |
| a3c7bb5d06884b048c1bfb4403b82b42 | f42df418fd404d04b9bdabf2f1b49fd9 | | | | all | False |
+----------------------------------+----------------------------------+----------------------------------+---------+--------+--------+-----------+
<br></pre>So by linking roles(implied roles): admin(a3c7bb5d06884b048c1bfb4403b82b42 ) -> member(3f20cb7be46346a8b2ba65c4684d50a3) -> reader(e39e97c23bfe45d1a2f9689b6985f990).<br><br>Correlation is visible, based on that my user(jwasilewski) should retrieve a full project list, but it seems only three projects are visible where this user is an admin. I do not want to add my user as a reader to every single project to be able to list all of them. Is there a way how to make it or the only way is to add this role(reader) for a user to all projects?<br>Thank you in advance for any suggestions.</div><div><br></div>Best regards,<br>Jan Wasilewski<div><br></div><div>[1] <a href="https://docs.openstack.org/keystone/stein/admin/service-api-protection.html#system-administrators">https://docs.openstack.org/keystone/stein/admin/service-api-protection.html#system-administrators</a> -> <a class="gmail-moz-txt-link-freetext" href="https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#system-administrators">https://docs.openstack.org/keystone/latest/admin/service-api-protection.html#system-administrators</a></div><div>[2] <a href="https://paste.openstack.org/show/bq0HgyqouZF1vywKVkGn/">https://paste.openstack.org/show/bq0HgyqouZF1vywKVkGn/</a> </div></div>