[heat] ERROR: You are not authorized to use stacks:global_index.
Takashi Kajinami
tkajinam at redhat.com
Sun Aug 28 13:52:22 UTC 2022
Hello,
Your admin-openrc.sh includes OS_PROJECT_NAME and OS_TENANT_NAME. This means
you are using project scope instead of system scope.
If you want to use the project scope access you should remove these two
variables and use
OS_SYSTEM_SCOPE=all instead.
> I see the policy is "role:reader and system_scope:all". I think the user
admin has role reader
> and also with system_scope:all.
Policy rule enforcement is applied based on the scope used in API access.
In your case you use
project scope token to access the Heat API so the system scope role
assignment is NOT populated.
Also, unfortunately Heat api does not allow CLI to use system scope because
of the project_id/tenant_id
template in its endpoint url, which can't be resolved when system scope is
used.. If you want to use system scope
to access Heat API then you are likely to need to implement your own tool
or use raw http client such as curl.
Thank you,
Takashi
On Fri, Aug 26, 2022 at 4:08 PM Boxiang Zhu <bxzhu_5355 at 163.com> wrote:
>
> Hi,
>
> I deployed the openstack with kolla-ansible. And the openstack_release of
> globals.yml is master.
> The version of openstackclient and heatclient is 5.8.0 and 3.0.0.
>
> I run command "source /etc/kolla/admin-openrc.sh" to export env of
> openstack.
> OS_PROJECT_DOMAIN_NAME=Default
> OS_USER_DOMAIN_NAME=Default
> OS_PROJECT_NAME=admin
> OS_TENANT_NAME=admin
> OS_USERNAME=admin
> OS_PASSWORD=xxxxxxxxx
> OS_AUTH_URL=http://192.168.100.10:5000
> OS_INTERFACE=internal
> OS_ENDPOINT_TYPE=internalURL
> OS_MANILA_ENDPOINT_TYPE=internalURL
> OS_IDENTITY_API_VERSION=3
> OS_REGION_NAME=RegionOne
> OS_AUTH_PLUGIN=password
>
> Then I try to list all stacks with command "openstack stack list
> --all-projects". But I got the error
> messages as followed:
> *ERROR: You are not authorized to use stacks:global_index.*
>
> I see the policy is "role:reader and system_scope:all". I think the user
> admin has role reader
> and also with system_scope:all.
> ❯ openstack role assignment list
>
> +----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+
> | Role | User |
> Group | Project | Domain
> | System | Inherited |
>
> +----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+
> | cd572da356fb4f7ca53c280802299eb0 | fccbdf34d33a407db1b53bed048d1187 |
> | 840500fb441a442fbcbca30d3a773b2c | |
> | False |
> | cd572da356fb4f7ca53c280802299eb0 | 70d3715e7e2246c08c901d0e96038443 |
> | | 0a6274ff7f994e8cb6f40e13b0d39ca2 |
> | False |
> | cd572da356fb4f7ca53c280802299eb0 | *5c100e870cbd4744af6e546fc9215a37*
> | | |
> | *all *| False |
>
> +----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+
> ❯ openstack user show admin
> +---------------------+----------------------------------+
> | Field | Value |
> +---------------------+----------------------------------+
> | domain_id | default |
> | enabled | True |
> | id | *5c100e870cbd4744af6e546fc9215a37* |
> | name | admin |
> | options | {} |
> | password_expires_at | None |
> +---------------------+----------------------------------+
>
> How can I get all the stacks for all projects?
>
> Thanks,
> Best Regards,
>
> Boxiang Zhu
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20220828/a46c803b/attachment.htm>
More information about the openstack-discuss
mailing list