Closed GregBlow closed 5 months ago
Piotr Parczewski
Hi George Beckett, Greg Blow granting a reader role in a project to affected user will resolve the issue
Correction - while granting reader role appears to be working, root cause for broken access is/was a missing member role in the projects (edited)
thanks. I've just tried applying the reader role to my non-admin account (gblow) on the Qserv project, but am still getting the same error when I openstack server list --project qserv Policy doesn't allow os_compute_api:servers:detail:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-43dc372f-a3b1-49ad-a4a4-b206365c305d)
do I need a new application credential?
well, application credentials are second part of the issue - quick way is to regenerate these, but there’s also fix that I’m going to apply now - we’ll know if it worked afterwards
gblow@EPCC-WIN-P12:~$ openstack service list
You are not authorized to perform the requested action: identity:list_services. (HTTP 403) (Request-ID: req-b21daea5-89fc-4f8a-815b-35165f78c4d2)
gblow@EPCC-WIN-P12:~$ openstack server list --project qserv
Policy doesn't allow os_compute_api:servers:detail:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-88b1e2e1-b980-40a6-b57e-444f56f69d5b)
27.1.0
Upgrade Notes
Configuration of service user tokens is now required for all Nova services to ensure security of block-storage volume data.
All Nova configuration files must configure the [service_user] section as described in the [documentation](https://docs.openstack.org/nova/latest/admin/configuration/service-user-token.html).
See https://bugs.launchpad.net/nova/+bug/2004555 for more details.
This issue should be resolved now. Reported issues and solution from StackHPC:
OpenStack Antelope Nova policy change issue has been resolved. The following actions were taken in the course of troubleshooting:
@GregBlow can we close this?
Fixed with the above merge.
listing of servers by project is presently blocked by policy:
Blocking operations of tenants e.g. RSP; clusters cannot be created.