[keystone] application creds issue with permission
Folks, I am running the 2023.1 release of openstack using kolla-ansible. I have integrated with LDAP and everything works fine. But today when I created application creds and used that to access openstack api I got all kinds of strange auth errors. #!/usr/bin/env bash export OS_AUTH_TYPE=v3applicationcredential export OS_AUTH_URL=https://openstack-eng.example.com:5000 export OS_IDENTITY_API_VERSION=3 export OS_REGION_NAME="eng" export OS_INTERFACE=public export OS_APPLICATION_CREDENTIAL_ID=ee17300916b1401f912f6140ce9cd642 export OS_APPLICATION_CREDENTIAL_SECRET=XXXXXXXXX # openstack server list ForbiddenException: 403: Client Error for url: https://openstack-eng.example.com:8774/v2.1/servers/detail?deleted=False, Policy doesn't allow os_compute_api:servers:detail to be performed. # openstack image list ForbiddenException: 403: Client Error for url: https://openstack-eng.example.com:9292/v2/images, You are not authorized to complete get_images action.<br /><br /> What is wrong here because I have one more setup of openstack which is not using LDAP but in that cloud application creds working fine. # cat /etc/keystone/keystone.conf [DEFAULT] debug = False transport_url = hiding.... log_file = /var/log/kolla/keystone/keystone.log use_stderr = True [oslo_middleware] enable_proxy_headers_parsing = True [database] connection = mysql+pymysql:// keystone:hiding...@openstack-eng.example.com:3306/keystone connection_recycle_time = 10 max_pool_size = 1 max_retries = -1 [identity] domain_specific_drivers_enabled = true domain_config_dir = /etc/keystone/domains [token] revoke_by_id = False provider = fernet expiration = 86400 allow_expired_window = 172800 [fernet_tokens] max_active_keys = 3 [cache] backend = oslo_cache.memcache_pool enabled = True memcache_servers = 10.0.25.201:11211,10.0.25.202:11211,10.0.25.203:11211 [oslo_messaging_notifications] transport_url = rabbit://openstack:hiding.... driver = noop [oslo_messaging_rabbit] heartbeat_in_pthread = True amqp_durable_queues = true rabbit_quorum_queue = true kombu_reconnect_delay = 0.5 rabbit_transient_queues_ttl = 60 # cat /etc/keystone/domains/keystone.eng.conf # Ansible managed [identity] driver = ldap [ldap] debug_level = 4095 group_allow_create = False group_allow_delete = False group_allow_update = False group_id_attribute = cn hiding.... hiding....
participants (1)
-
Satish Patel