[heat] ERROR: You are not authorized to use stacks:global_index.
Hi,
I deployed the openstack with kolla-ansible. And the openstack_release of globals.yml is master. The version of openstackclient and heatclient is 5.8.0 and 3.0.0.
I run command "source /etc/kolla/admin-openrc.sh" to export env of openstack. OS_PROJECT_DOMAIN_NAME=Default OS_USER_DOMAIN_NAME=Default OS_PROJECT_NAME=admin OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=xxxxxxxxx OS_AUTH_URL=http://192.168.100.10:5000 OS_INTERFACE=internal OS_ENDPOINT_TYPE=internalURL OS_MANILA_ENDPOINT_TYPE=internalURL OS_IDENTITY_API_VERSION=3 OS_REGION_NAME=RegionOne OS_AUTH_PLUGIN=password
Then I try to list all stacks with command "openstack stack list --all-projects". But I got the error messages as followed: ERROR: You are not authorized to use stacks:global_index.
I see the policy is "role:reader and system_scope:all". I think the user admin has role reader and also with system_scope:all. ❯ openstack role assignment list +----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited | +----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+ | cd572da356fb4f7ca53c280802299eb0 | fccbdf34d33a407db1b53bed048d1187 | | 840500fb441a442fbcbca30d3a773b2c | | | False | | cd572da356fb4f7ca53c280802299eb0 | 70d3715e7e2246c08c901d0e96038443 | | | 0a6274ff7f994e8cb6f40e13b0d39ca2 | | False | | cd572da356fb4f7ca53c280802299eb0 | 5c100e870cbd4744af6e546fc9215a37 | | | | all | False | +----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+ ❯ openstack user show admin +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 5c100e870cbd4744af6e546fc9215a37 | | name | admin | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
How can I get all the stacks for all projects?
Thanks, Best Regards,
Boxiang Zhu
Hello,
Your admin-openrc.sh includes OS_PROJECT_NAME and OS_TENANT_NAME. This means you are using project scope instead of system scope.
If you want to use the project scope access you should remove these two variables and use OS_SYSTEM_SCOPE=all instead.
I see the policy is "role:reader and system_scope:all". I think the user
admin has role reader
and also with system_scope:all.
Policy rule enforcement is applied based on the scope used in API access. In your case you use project scope token to access the Heat API so the system scope role assignment is NOT populated.
Also, unfortunately Heat api does not allow CLI to use system scope because of the project_id/tenant_id template in its endpoint url, which can't be resolved when system scope is used.. If you want to use system scope to access Heat API then you are likely to need to implement your own tool or use raw http client such as curl.
Thank you, Takashi
On Fri, Aug 26, 2022 at 4:08 PM Boxiang Zhu bxzhu_5355@163.com wrote:
Hi,
I deployed the openstack with kolla-ansible. And the openstack_release of globals.yml is master. The version of openstackclient and heatclient is 5.8.0 and 3.0.0.
I run command "source /etc/kolla/admin-openrc.sh" to export env of openstack. OS_PROJECT_DOMAIN_NAME=Default OS_USER_DOMAIN_NAME=Default OS_PROJECT_NAME=admin OS_TENANT_NAME=admin OS_USERNAME=admin OS_PASSWORD=xxxxxxxxx OS_AUTH_URL=http://192.168.100.10:5000 OS_INTERFACE=internal OS_ENDPOINT_TYPE=internalURL OS_MANILA_ENDPOINT_TYPE=internalURL OS_IDENTITY_API_VERSION=3 OS_REGION_NAME=RegionOne OS_AUTH_PLUGIN=password
Then I try to list all stacks with command "openstack stack list --all-projects". But I got the error messages as followed: *ERROR: You are not authorized to use stacks:global_index.*
I see the policy is "role:reader and system_scope:all". I think the user admin has role reader and also with system_scope:all. ❯ openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+ | Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+ | cd572da356fb4f7ca53c280802299eb0 | fccbdf34d33a407db1b53bed048d1187 | | 840500fb441a442fbcbca30d3a773b2c | | | False | | cd572da356fb4f7ca53c280802299eb0 | 70d3715e7e2246c08c901d0e96038443 | | | 0a6274ff7f994e8cb6f40e13b0d39ca2 | | False | | cd572da356fb4f7ca53c280802299eb0 | *5c100e870cbd4744af6e546fc9215a37* | | | | *all *| False |
+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+ ❯ openstack user show admin +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | *5c100e870cbd4744af6e546fc9215a37* | | name | admin | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
How can I get all the stacks for all projects?
Thanks, Best Regards,
Boxiang Zhu
participants (2)
-
Boxiang Zhu
-
Takashi Kajinami