Bug 1924658
| Summary: | Unable to delete keystone domains | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Srinivas Atmakuri <satmakur> |
| Component: | openstack-keystone | Assignee: | Grzegorz Grasza <ggrasza> |
| Status: | CLOSED ERRATA | QA Contact: | Jeremy Agee <jagee> |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 13.0 (Queens) | CC: | alee, dhill, dmendiza, ggrasza, gkadam, hrybacki, oblaut, shtiwari, vkoul |
| Target Milestone: | zstream | Keywords: | Triaged |
| Target Release: | 16.2 (Train on RHEL 8.4) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-keystone-16.0.3-2.20210910184811.acef9c6 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-23 22:10:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Setting this to needinfo until the customer gets back to us. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Release of components for Red Hat OpenStack Platform 16.2.2), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1001 |
Description of problem: Unable to delete the keystone domains, facing the below error., ~~~ /var/log/containers/keystone/keystone.log:2020-10-15 10:10:51.661 23 WARNING py.warnings [req-9b530880-1ff1-4f79-aec6-1573cb4a0f7a <> <> - default default] /usr/lib/python2.7/site-packages/oslo_policy/policy.py:869: UserWarning: Policy identity:delete_domain failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required ~~~ Version-Release number of selected component (if applicable): Red Hat OpenStack Platform - 13 How reproducible: Not Always Steps to Reproduce: 1.Created an LDAP domain for keystone via director templates 2.openstack domain delete <> Actual results: Expect the domain and the shadow users to get deleted Expected results: domain is un-deleted Additional info: The system expects a system scope token instead of a project scope, and using the system scope token gives the below error., {"error": {"message": "You are not authorized to perform the requested action.", "code": 403, "title": "Forbidden"}}