Hello,

Your admin-openrc.sh includes OS_PROJECT_NAME and OS_TENANT_NAME. This means
you are using project scope instead of system scope.

If you want to use the project scope access you should remove these two variables and use
OS_SYSTEM_SCOPE=all instead.

> I see the policy is "role:reader and system_scope:all". I think the user admin has role reader
> and also with system_scope:all.
Policy rule enforcement is applied based on the scope used in API access. In your case you use
project scope token to access the Heat API so the system scope role assignment is NOT populated.


Also, unfortunately Heat api does not allow CLI to use system scope because of the project_id/tenant_id
template in its endpoint url, which can't be resolved when system scope is used.. If you want to use system scope
to access Heat API then you are likely to need to implement your own tool or use raw http client such as curl.

Thank you,
Takashi


On Fri, Aug 26, 2022 at 4:08 PM Boxiang Zhu <bxzhu_5355@163.com> wrote:

Hi,

I deployed the openstack with kolla-ansible. And the openstack_release of globals.yml is master.
The version of openstackclient and heatclient is 5.8.0 and 3.0.0.

I run command "source /etc/kolla/admin-openrc.sh" to export env of openstack.
OS_PROJECT_DOMAIN_NAME=Default
OS_USER_DOMAIN_NAME=Default
OS_PROJECT_NAME=admin
OS_TENANT_NAME=admin
OS_USERNAME=admin
OS_PASSWORD=xxxxxxxxx
OS_AUTH_URL=http://192.168.100.10:5000
OS_INTERFACE=internal
OS_ENDPOINT_TYPE=internalURL
OS_MANILA_ENDPOINT_TYPE=internalURL
OS_IDENTITY_API_VERSION=3
OS_REGION_NAME=RegionOne
OS_AUTH_PLUGIN=password

Then I try to list all stacks with command "openstack stack list --all-projects". But I got the error
messages as followed:
ERROR: You are not authorized to use stacks:global_index.

I see the policy is "role:reader and system_scope:all". I think the user admin has role reader
and also with system_scope:all.
❯ openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+
| Role                             | User                             | Group | Project                          | Domain                           | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+
| cd572da356fb4f7ca53c280802299eb0 | fccbdf34d33a407db1b53bed048d1187 |       | 840500fb441a442fbcbca30d3a773b2c |                                  |        | False     |
| cd572da356fb4f7ca53c280802299eb0 | 70d3715e7e2246c08c901d0e96038443 |       |                                  | 0a6274ff7f994e8cb6f40e13b0d39ca2 |        | False     |
| cd572da356fb4f7ca53c280802299eb0 | 5c100e870cbd4744af6e546fc9215a37 |       |                                  |                                  | all    | False     |
+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+
❯ openstack user show admin
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 5c100e870cbd4744af6e546fc9215a37 |
| name                | admin                            |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

How can I get all the stacks for all projects?

Thanks,
Best Regards,

Boxiang Zhu