<div dir="ltr"><div>Hello,</div><div><br></div><div>Your admin-openrc.sh includes OS_PROJECT_NAME and OS_TENANT_NAME. This means</div><div>you are using project scope instead of system scope.</div><div><br></div><div>If you want to use the project scope access you should remove these two variables and use</div><div>OS_SYSTEM_SCOPE=all instead.</div><div><br></div><div>> I see the policy is "role:reader and system_scope:all". I think the user admin has role reader<br>> and also with system_scope:all.</div><div>Policy rule enforcement is applied based on the scope used in API access. In your case you use</div><div>project scope token to access the Heat API so the system scope role assignment is NOT populated.<br></div><div><br></div><div><br></div><div>Also, unfortunately Heat api does not allow CLI to use system scope because of the project_id/tenant_id</div><div>template in its endpoint url, which can't be resolved when system scope is used.. If you want to use system scope</div><div>to access Heat API then you are likely to need to implement your own tool or use raw http client such as curl.</div><div><br></div><div>Thank you,</div><div>Takashi<br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 26, 2022 at 4:08 PM Boxiang Zhu <<a href="mailto:bxzhu_5355@163.com">bxzhu_5355@163.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="line-height:1.7;color:rgb(0,0,0);font-size:14px;font-family:Arial"><div style="margin:0px"><br></div><div style="margin:0px">Hi,</div><div style="margin:0px"><br></div><div style="margin:0px">I deployed the openstack with kolla-ansible. And the openstack_release of globals.yml is master.</div><div style="margin:0px">The version of openstackclient and heatclient is 5.8.0 and 3.0.0.</div><div style="margin:0px"><br></div><div style="margin:0px">I run command "source /etc/kolla/admin-openrc.sh" to export env of openstack.</div><div style="margin:0px"><div style="margin:0px">OS_PROJECT_DOMAIN_NAME=Default</div><div style="margin:0px">OS_USER_DOMAIN_NAME=Default</div><div style="margin:0px">OS_PROJECT_NAME=admin</div><div style="margin:0px">OS_TENANT_NAME=admin</div><div style="margin:0px">OS_USERNAME=admin</div><div style="margin:0px">OS_PASSWORD=xxxxxxxxx</div><div style="margin:0px">OS_AUTH_URL=<a href="http://192.168.100.10:5000" target="_blank">http://192.168.100.10:5000</a></div><div style="margin:0px">OS_INTERFACE=internal</div><div style="margin:0px">OS_ENDPOINT_TYPE=internalURL</div><div style="margin:0px">OS_MANILA_ENDPOINT_TYPE=internalURL</div><div style="margin:0px">OS_IDENTITY_API_VERSION=3</div><div style="margin:0px">OS_REGION_NAME=RegionOne</div><div style="margin:0px">OS_AUTH_PLUGIN=password</div></div><div style="margin:0px"><br></div><div style="margin:0px">Then I try to list all stacks with command "openstack stack list --all-projects". But I got the error</div><div style="margin:0px">messages as followed:</div><div style="margin:0px"><b>ERROR: You are not authorized to use stacks:global_index.</b></div><div style="margin:0px"><br></div><div style="margin:0px">I see the policy is "role:reader and system_scope:all". I think the user admin has role reader</div><div style="margin:0px">and also with system_scope:all.</div><div style="margin:0px"><div style="margin:0px">❯ openstack role assignment list</div><div style="margin:0px">+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+</div><div style="margin:0px">| Role                             | User                             | Group | Project                          | Domain                           | System | Inherited |</div><div style="margin:0px">+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+</div><div style="margin:0px">| cd572da356fb4f7ca53c280802299eb0 | fccbdf34d33a407db1b53bed048d1187 |       | 840500fb441a442fbcbca30d3a773b2c |                                  |        | False     |</div><div style="margin:0px">| cd572da356fb4f7ca53c280802299eb0 | 70d3715e7e2246c08c901d0e96038443 |       |                                  | 0a6274ff7f994e8cb6f40e13b0d39ca2 |        | False     |</div><div style="margin:0px">| cd572da356fb4f7ca53c280802299eb0 | <b>5c100e870cbd4744af6e546fc9215a37</b> |       |                                  |                                  | <b>all    </b>| False     |</div><div style="margin:0px">+----------------------------------+----------------------------------+-------+----------------------------------+----------------------------------+--------+-----------+</div><div style="margin:0px">❯ openstack user show admin</div><div style="margin:0px">+---------------------+----------------------------------+</div><div style="margin:0px">| Field               | Value                            |</div><div style="margin:0px">+---------------------+----------------------------------+</div><div style="margin:0px">| domain_id           | default                          |</div><div style="margin:0px">| enabled             | True                             |</div><div style="margin:0px">| id                  | <b>5c100e870cbd4744af6e546fc9215a37</b> |</div><div style="margin:0px">| name                | admin                            |</div><div style="margin:0px">| options             | {}                               |</div><div style="margin:0px">| password_expires_at | None                             |</div><div style="margin:0px">+---------------------+----------------------------------+</div></div><div style="margin:0px"><br></div><div style="margin:0px">How can I get all the stacks for all projects?</div><div style="margin:0px"><br></div><div style="margin:0px">Thanks,</div><div style="margin:0px">Best Regards,</div><div style="margin:0px"><br></div><div style="margin:0px">Boxiang Zhu</div><div style="margin:0px"><br></div></div></blockquote></div>