Hi Team,
As part of enhancing our OpenStack RBAC policy management, we are in the process of setting up custom roles for various admin-related activities.
admin_instance_read,admin_volume_read,admin_network_read,admin_glance_read
Despite the above configurations, listing all instances, images, volumes, and networks across all projects still only works for the admin
role. The custom roles (e.g., admin_instance_read
, etc.) are not taking effect for cross-project visibility as expected.
I would appreciate any suggestions or insights on:
Whether additional policy bindings or role scopes are required.
If any service-specific constraints might be overriding the custom roles.
Any known limitations regarding get_all_tenants
behavior with custom roles.