[keystone] cannot use 'openstack trust list' without admin role

Dear Keystone Experts,

I have an issue with the openstack client in stage (using Rocky), using a user 'fsc' without 'admin' role and with password auth.

'openstack trust create/show' works.

'openstack trust list' is denied.

But keystone policy.json says:

"identity:create_trust": "user_id:%(trust.trustor_user_id)s",     "identity:list_trusts": "",     "identity:list_roles_for_trust": "",     "identity:get_role_for_trust": "",     "identity:delete_trust": "",     "identity:get_trust": "",

So "openstack list trusts" is always allowed.

In keystone log (I replaced the uid's by names in the ouput below) I see that 'identity:list_trusts()' was actually granted but just after that a_*admin_required()*_ is getting checked and fails... I wonder why...

There is also a flag*is_admin_project=True* in the rbac creds for some reason...

Any clue? Many thanks in advance!

Cheers Francois

#openstack --os-cloud stage-fsc trust create --project fscproject --role creator fsc fsc #=> fail because of the names and policy rules, but using uid's it works openstack --os-cloud stage-fsc trust create --project aeac4b07d8b144178c43c65f29fa9dac --role 085180eeaf354426b01908cca8e82792 3e9b1a4fe95048a3b98fb5abebd44f6c 3e9b1a4fe95048a3b98fb5abebd44f6c +--------------------+----------------------------------+ | Field              | Value                            | +--------------------+----------------------------------+ | deleted_at         | None                             | | expires_at         | None                             | | id                 | e74bcdf125e049c69c2e0ab1b182df5b | | impersonation      | False                            | | project_id         | fscproject | | redelegation_count | 0                                | | remaining_uses     | None                             | | roles              | creator                          | | trustee_user_id    | fsc | | trustor_user_id    | fsc | +--------------------+----------------------------------+

openstack --os-cloud stage-fsc trust show e74bcdf125e049c69c2e0ab1b182df5b +--------------------+----------------------------------+ | Field              | Value                            | +--------------------+----------------------------------+ | deleted_at         | None                             | | expires_at         | None                             | | id                 | e74bcdf125e049c69c2e0ab1b182df5b | | impersonation      | False                            | | project_id         | fscproject | | redelegation_count | 0                                | | remaining_uses     | None                             | | roles              | creator                          | | trustee_user_id    | fsc | | trustor_user_id    | fsc | +--------------------+----------------------------------+

#this fails: openstack --os-cloud stage-fsc trust list *You are not authorized to perform the requested action: admin_required. (HTTP 403)*