Hi Jake,

Thank you for wonderful tips for debugging and suggestions. Turn out to be a LDAP setup related issue. I have set up LDAP for authentication but not role assignment. It works after setting following lines in keystone.conf 

[assignment]
driver = sql

I didn't add the above line because I thought it's default but maybe my ldap config overrides that option. Anyway thanks for the help again. 

~S




On Wed, Apr 24, 2024 at 11:43 AM Jake Yip <jake.yip@ardc.edu.au> wrote:
On 24/4/2024 10:04 pm, Satish Patel wrote:

> On Wed, Apr 24, 2024 at 7:36 AM Satish Patel <satish.txt@gmail.com
> <mailto:satish.txt@gmail.com>> wrote:
>
>     Yes, user1 created this cluster. I am user1 and I did it myself. How
>     do I check the user_id of the cluster? I am not able to see cluster
>     status.
>

It's returned by the API but not show in the table. You can see it if
you do a `openstack --debug coe cluster show user1`. Alternatively, look
in the DB, magnum.cluster.user_id

Also may help if you dump the output of `openstack role assignment list`
for user1.


 > Funny thing is I deployed 2023.1 last year in another place where
 > everything is working. I am able to create a cluster and
 > retrieve certificates etc.. even I didn't add any users in the reader
 > role. Seems this is something new added recently and not documented
 > anywhere except policy file.
 >

Your old cluster is 2023.1 and new cluster is 2023.1? I took a look at
stable/2023.1, we didn't backport much patches with policy. Can you
elaborate on "something new added recently"?

 > In the new setup I have integrated keystone with LDAP (only for
 > username/password auth not for assignment etc.)
 >

Maybe this might be it, but I'm not familiar with LDAP setup so can't
help you there. You may want to redeploy same version of Magnum but
without the LDAP integration to rule out code or config differences.

HTH,
Jake