Hi,
I just upgraded Nova/Cinder/Glance of our production cloud from
Yoga to Antelope (after upgrading Keystone yesterday) and since
the upgrade, users who are not admin cannot do anything basically
with Glance and Nova, despite we changed nothing to service
configuration or user's roles since Yoga. We enabled scoped tokens
a while ago (several months).
After some research, we found that it was linked to the fact that for (bad) historical reasons, the person who created the cloud 10 years ago renamed the role "member" to "users". It has been working without bad impact up to know. I was surprised of this absence of impact when we switched to scope tokens and enforced new rules. I realize that it is because several (all?) services up to Yoga was still supporting the old rules in addition to the new ones. On Cinder and Keystone for example, if using oslopolicy-policy-generator, it reports deprecated rules that are not defined in our configuration and I guess it is because old rules are not yet deleted on these services.
Our first attempt to fix the problem has been to rename the users role (that every non-admin user has instead of the no-longer existing member role) back to its original name, member. Unfortunately it didn't solve the problem, even after restarting memcached everywhere (not sure it may have an impact) and the API services on Glance and Nova.
We found a workaround modifying slightly the policy rules defining what is a member or reader with the following for Nova (and something similar for Glance, even if more rules have to be modified as there is no rule defining what is a member or reader):
"project_member_api": "(role:member or role:users) and
project_id:%(project_id)s"
"project_reader_api": "(role:reader or role:users) and
project_id:%(project_id)s"
My question is: why renaming the role was not enough? The fact that "openstack role set --name" exists suggests that it should work, isn't it? We can probably leave with the workound we found but it would make the configuration simpler if we could fix the role name and keep the standard rules...
Thanks in advance for any suggestion on how to do it or to troubleshoot the fact it doesn't work...
Best regards,
Michel
-- Michel