I did a little more digging and I'm still not sure what the problem is. I can create/delete users, groups, projects, domains, but not roles as there are no buttons.
For OPENSTACK_KEYSTONE_BACKEND in local_settings.py we have: OPENSTACK_KEYSTONE_BACKEND = { 'name': 'native', 'can_edit_user': True, 'can_edit_group': True, 'can_edit_project': True, 'can_edit_domain': True, 'can_edit_role': True, } The keystone v3 policy looks fine and I'm using a cloud admin (not a domain admin, so this is not the same as bug 1775227): "admin_required": "role:Admin", "cloud_admin": "rule:admin_required and rule:domain_id:7b67d5a059154b45a5f4cb6f80310493", ... "identity:get_role": "rule:admin_required", "identity:list_roles": "rule:admin_required", "identity:create_role": "rule:cloud_admin", "identity:update_role": "rule:cloud_admin", "identity:delete_role": "rule:cloud_admin", # openstack commands to compare vs cloud_admin policy - truncated for launchpad formatting $ os domain list +----------------------------------+----------------+ | ID | Name | +----------------------------------+----------------+ | 7b67d5a059154b45a5f4cb6f80310493 | admin_domain | +----------------------------------+----------------+ $ os user show admin +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 7b67d5a059154b45a5f4cb6f80310493 | | email | juju@localhost | | enabled | True | | id | 70ffd1578204492b954792af2607bffd | | name | admin | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ $ os role list +----------------------------------+---------------+ | ID | Name | +----------------------------------+---------------+ | 8a01a3463f584c34a5c56282a90b53a7 | Admin | +----------------------------------+---------------+ $ os role assignment list -f json ... { "Role": "8a01a3463f584c34a5c56282a90b53a7", "User": "70ffd1578204492b954792af2607bffd", "Group": "", "Project": "", "Domain": "7b67d5a059154b45a5f4cb6f80310493", "System": "", "Inherited": false }, ... Static assets are collected and compressed and apache2/memcached restarted. I've been testing with the Ubuntu package so I'll have to test this with upstream and see what is different. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1792783 Title: Cannot update Identity Roles in Rocky To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1792783/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs