Hi,

I just upgraded Nova/Cinder/Glance of our production cloud from Yoga to Antelope (after upgrading Keystone yesterday) and since the upgrade, users who are not admin cannot do anything basically, despite we changed nothing to service configuration or user's roles since Yoga. We enabled scoped tokens a while ago (several months).

For (bad) historical reasons,  the role "member" was called "users" but it had no impact (I was surprised), despite we are using standard policies. We thought it may be a consequence of this and we renamed the role back to "member". It was not enough to fix the problem, even after restart memcached on all servers just in case.

We thought that there was may be some caching done somewhere with the old role name and modified slightly the policy rules defining what is a member or read with:

"project_member_api": "(role:member or role:users) and project_id:%(project_id)s"
"project_reader_api": "(role:reader or role:users) and project_id:%(project_id)s"

It first works but the change was reverted by mistake and now it doesn't work anymore.

I am really completely stuck, without any clue about what happen and on how to troubleshoot it. I googled a bit but was not able to find something looking similar...

Any help would be greatly appreciated. Best regards,

Michel

-- 
Michel