From b1a693d0a3a9ff1c44f0e1e56279fd238c0ea047 Mon Sep 17 00:00:00 2001
From: Wenxiang Wu <wu.wenxiang@99cloud.net>
Date: Tue, 23 Jan 2024 14:13:45 +0800
Subject: [PATCH] docs: add FAQ in README.rst

Closes-Bug: #2049807
Change-Id: I9beb1c1e7ba2d8c0378d4eabe8dbd05ffeb06c69
---
 README.rst | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/README.rst b/README.rst
index ef802e9..d682c60 100644
--- a/README.rst
+++ b/README.rst
@@ -227,3 +227,38 @@ Kolla Ansible Deployment
 
 .. |image0| image:: doc/source/images/logo/OpenStack_Project_Skyline_horizontal.png
 .. |image1| image:: doc/source/images/logo/nine-color-deer-64.png
+
+FAQ
+---
+
+1. Policy
+
+   Q: Why common user could login, but could list the nova servers?
+      `Bug #2049807 <https://bugs.launchpad.net/skyline-apiserver/+bug/2049807>`_
+
+   ::
+
+      Symptom:
+      -----------------------------------
+      1. Login Horizon with common user A, list servers OK.
+      2. Login Skyline with same common user A, could list the nova servers, F12 show no http requests sent from network, however webpage show 401, do not allow to list servers
+
+      Root Cause Analysis:
+      -----------------------------------
+      1. Horizon don't know whether a user could do an action at a resource or not. It simply pass request to recording service, & service (Nova) do the check by its policy file. So it works.
+      2. Skyline check the action by itself, with /policy API. If you do not configure it, the default value follows community, like: https://docs.openstack.org/nova/2023.2/configuration/sample-policy.html
+
+      How to fix:
+      -----------------------------------
+      1. By default, list servers need "project_reader_api": "role:reader and project_id:%(project_id)s"
+      2. You should config your customized role, for example: member, _member_, projectAdmin, etc, create implied reader role. "openstack implied role create --implied-role member projectAdmin", or "openstack implied role create --implied-role reader _member_"
+
+      # openstack implied role list
+      +----------------------------------+-----------------+----------------------------------+-------------------+
+      | Prior Role ID | Prior Role Name | Implied Role ID | Implied Role Name |
+      +----------------------------------+-----------------+----------------------------------+-------------------+
+      | fe21c5a0d17149c2a7b02bf39154d110 | admin | 4376fc38ba6a44e794671af0a9c60ef5 | member |
+      | 4376fc38ba6a44e794671af0a9c60ef5 | member | e081e01b7a4345bc85f8d3210b95362d | reader |
+      | bee8fa36149e434ebb69b61d12113031 | projectAdmin | 4376fc38ba6a44e794671af0a9c60ef5 | member |
+      | 77cec9fc7e764bd4bf60581869c048de | _member_ | e081e01b7a4345bc85f8d3210b95362d | reader |
+      +----------------------------------+-----------------+----------------------------------+-------------------+