Policy doesn't allow os_compute_api:servers:detail to be performed.

[GregBlow]

listing of servers by project is presently blocked by policy:

OpenStack services (except Ironic and Keystone) stopped supporting the system scope in their API policy. Kolla who started using the system scope token during the OpenStack Xena release needs to revert it and use the project scope token to perform those services API operations. The Ironic and Keystone operations are still performed using the system scope token.

Blocking operations of tenants e.g. RSP; clusters cannot be created.

[GregBlow]

reference to problem in kolla codebase:

https://opendev.org/openstack/kolla-ansible/src/commit/283fa242caffe058ec770941da7889e6e1fbff5b/releasenotes/notes/stop-using-system-scope-token-328a64927dc0fb2e.yaml

[GregBlow]

see also:

https://opendev.org/openstack/kolla-ansible/commit/283fa242caffe058ec770941da7889e6e1fbff5b

[GregBlow]

Piotr Parczewski

Hi George Beckett, Greg Blow granting a reader role in a project to affected user will resolve the issue

Correction - while granting reader role appears to be working, root cause for broken access is/was a missing member role in the projects (edited)

thanks. I've just tried applying the reader role to my non-admin account (gblow) on the Qserv project, but am still getting the same error when I openstack server list --project qserv Policy doesn't allow os_compute_api:servers:detail:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-43dc372f-a3b1-49ad-a4a4-b206365c305d)

do I need a new application credential?

well, application credentials are second part of the issue - quick way is to regenerate these, but there’s also fix that I’m going to apply now - we’ll know if it worked afterwards

[GregBlow]

gblow@EPCC-WIN-P12:~$ openstack service list
You are not authorized to perform the requested action: identity:list_services. (HTTP 403) (Request-ID: req-b21daea5-89fc-4f8a-815b-35165f78c4d2)

gblow@EPCC-WIN-P12:~$ openstack server list --project qserv
Policy doesn't allow os_compute_api:servers:detail:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-88b1e2e1-b980-40a6-b57e-444f56f69d5b)

[GregBlow]

27.1.0
Upgrade Notes

    Configuration of service user tokens is now required for all Nova services to ensure security of block-storage volume data.

    All Nova configuration files must configure the [service_user] section as described in the [documentation](https://docs.openstack.org/nova/latest/admin/configuration/service-user-token.html).

    See https://bugs.launchpad.net/nova/+bug/2004555 for more details.

[astrodb]

This issue should be resolved now. Reported issues and solution from StackHPC:

OpenStack Antelope Nova policy change issue has been resolved. The following actions were taken in the course of troubleshooting:

• some Application Credentials were recreated manually by users. Recreating was enough to have a new working set of credentials in place, together with now required 'reader' role for OpenStack projects. StackHPC ran SQL queries against Keystone database to ensure remaining Application Credentials have all 'reader' role attached to it;
• users were instructed that it is mandatory to have a 'member' role in the projects they wish to work with (either using CLI or Horizon). Greg did corrections to Keystone federation mappings to ensure all new users will get proper project membership roles.
• custom policies have been applied to allow Magnum clusters to work (creating & deleting): https://git.ecdf.ed.ac.uk/lsstuk-somerville/kayobe-config/-/commit/d6d5d8dff86c0824829de065f111a9410a23a059 So far no further Nova errors appeared in the logs after applying a fix - admittedly, this should be handled much smoother within Magnum project itself.
• "service" project quotas has been adjusted to allow creating 500 Amphora load balancers - previous quota limit of 10 was hit and prevented new load balancers from being created. This was another blocker for load balancer enabled new Magnum clusters.

[astrodb]

@GregBlow can we close this?

[GregBlow]

https://git.ecdf.ed.ac.uk/lsstuk-somerville/kayobe-config/-/commit/781b1a94ae77a4be87d6a421c901b537ed6e0083

Fixed with the above merge.