← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1117433] Re: non-admin users raise KeyError u'project_id'

 

it looks like you need context_is_admin your policy.json file:

I think you should replace your admin_or_owner lines with the lines from
the default file in folsom:

  "context_is_admin":  [["role:admin"]],
  "admin_or_owner":  [["is_admin:True"], ["project_id:%(project_id)s"]],


** Changed in: nova
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1117433

Title:
  non-admin users raise KeyError u'project_id'

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  Important note: this occurred post-upgrade from essex to folsom. I'm
  using the CentOS packages provided by EPEL.

  steps:

  1) obtain an auth-token

  curl -H 'Content-Type: application/json' -d '{ "auth": {"tenantName": "Development", "passwordCredentials": {"username": "jenkins", "password": "*****"} } }' http://10.0.80.15:5000/v2.0/tokens
  "access": {"token": {"expires": "2013-02-07T15:23:49Z", "id": "e3d266a113a64558801537830b01001d", "tenant": {"enabled": true, "description": "The developer group", "name": "Development", "id": "62b31fa8598a443487d99a79b6ba5547"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.0.80.15:8774/v2/62b31fa8598a443487d99a79b6ba5547";, "region": "nyc02", "internalURL": "http://10.0.80.15:8774/v2/62b31fa8598a443487d99a79b6ba5547";, "id": "bb7fa36c03bf48589b87109509bfacb0", "publicURL": "http://10.0.80.15:8774/v2/62b31fa8598a443487d99a79b6ba5547"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://10.0.80.15:9292/v1";, "region": "nyc02", "internalURL": "http://10.0.80.15:9292/v1";, "id": "a1560797b76d45209af5820c72edf0c3", "publicURL": "http://10.0.80.15:9292/v1"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://10.0.80.15:8776/v1/62b31fa8598a443487d99a79b6ba5547";, "region": "nyc02", "internalURL": "http://10.0.80.15:8776/v1/62b31fa8598a443487d99a79b6ba5547";, "id": "214577425ac8411ea114f5d0285d2814", "publicURL": "http://10.0.80.15:8776/v1/62b31fa8598a443487d99a79b6ba5547"}], "endpoints_links": [], "type": "volume", "name": "volume"}, {"endpoints": [{"adminURL": "http://10.0.80.15:8773/services/Admin";, "region": "nyc02", "internalURL": "http://10.0.80.15:8773/services/Cloud";, "id": "8d0f2bbbd729465eaf92964c728a60db", "publicURL": "http://10.0.80.15:8773/services/Cloud"}], "endpoints_links": [], "type": "ec2", "name": "ec2"}, {"endpoints": [{"adminURL": "http://10.0.80.15:8080/";, "region": "nyc02", "internalURL": "http://10.0.80.15:8080/v1/AUTH_62b31fa8598a443487d99a79b6ba5547";, "id": "8ab8b4cddd224f8facba3bcaf909b323", "publicURL": "http://10.0.80.15:8080/v1/AUTH_62b31fa8598a443487d99a79b6ba5547"}], "endpoints_links": [], "type": "object-store", "name": "swift"}, {"endpoints": [{"adminURL": "http://10.0.80.15:35357/v2.0";, "region": "nyc02", "internalURL": "http://10.0.80.15:5000/v2.0";, "id": "1e030df055e54aa2bde029f30a50c79d", "publicURL": "http://10.0.80.15:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "jenkins", "roles_links": [], "id": "f80bbe2743b74f92a85ba61e8f93e62c", "roles": [], "name": "jenkins"}}}

  2) attempt to list servers for a tenant

  curl -v -H 'X-Auth-Token: e3d266a113a64558801537830b01001d'

  Expected:

  A list of servers for the Development tenant.

  Actual:

  Reply from server:
  http://10.0.80.15:8774/v2/2201915216d143038d65f61e323caf15/servers
  * About to connect() to 10.0.80.15 port 8774 (#0)
  *   Trying 10.0.80.15...
  * connected
  * Connected to 10.0.80.15 (10.0.80.15) port 8774 (#0)
  > GET /v2/2201915216d143038d65f61e323caf15/servers HTTP/1.1
  > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
  > Host: 10.0.80.15:8774
  > Accept: */*
  > X-Auth-Token: e3d266a113a64558801537830b01001d
  >
  < HTTP/1.1 500 Internal Server Error
  < Content-Length: 128
  < Content-Type: application/json; charset=UTF-8
  < Date: Wed, 06 Feb 2013 15:24:38 GMT
  <
  * Connection #0 to host 10.0.80.15 left intact
  {"computeFault": {"message": "The server has either erred or is incapable of performing the requested operation.", "code": 500}}* Closing connection #0

  Stack trace:

  2013-02-05 16:01:31 6291 ERROR nova.api.openstack [-] Caught error: u'project_id'
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack Traceback (most recent call last):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/openstack/__init__.py", line 78, in __call__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return req.get_response(self.application)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1053, in get_response
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     application, catch_exc_info=False)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1022, in call_application
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     app_iter = application(self.environ, start_response)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 159, in __call__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return resp(environ, start_response)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/keystone/middleware/auth_token.py", line 278, in __call__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return self.app(env, start_response)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 147, in __call__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     resp = self.call_func(req, *args, **self.kwargs)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 208, in call_func
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return self.func(req, *args, **kwargs)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/auth.py", line 117, in __call__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     service_catalog=service_catalog)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/context.py", line 70, in __init__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     self.is_admin = policy.check_is_admin(self.roles)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/policy.py", line 115, in check_is_admin
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     exception.PolicyNotAuthorized, action=action)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 125, in enforce
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     if not _BRAIN.check(match_list, target_dict, credentials_dict):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
                                                                                                                                                        1,1           Top
  2013-02-05 16:01:31 6291 ERROR nova.api.openstack [-] Caught error: u'project_id'
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack Traceback (most recent call last):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/openstack/__init__.py", line 78, in __call__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return req.get_response(self.application)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1053, in get_response
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     application, catch_exc_info=False)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/request.py", line 1022, in call_application
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     app_iter = application(self.environ, start_response)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 159, in __call__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return resp(environ, start_response)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/keystone/middleware/auth_token.py", line 278, in __call__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return self.app(env, start_response)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 147, in __call__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     resp = self.call_func(req, *args, **self.kwargs)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/WebOb-1.0.8-py2.6.egg/webob/dec.py", line 208, in call_func
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return self.func(req, *args, **kwargs)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/api/auth.py", line 117, in __call__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     service_catalog=service_catalog)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/context.py", line 70, in __init__
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     self.is_admin = policy.check_is_admin(self.roles)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/policy.py", line 115, in check_is_admin
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     exception.PolicyNotAuthorized, action=action)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 125, in enforce
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     if not _BRAIN.check(match_list, target_dict, credentials_dict):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 260, in _check_rule
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return brain.check(new_match_list, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 204, in check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     for item in and_list]):
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 184, in _check
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     return func(self, match_kind, match_value, target_dict, cred_dict)
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack   File "/usr/lib/python2.6/site-packages/nova/openstack/common/policy.py", line 300, in _check_generic
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack     match = match % target_dict
  2013-02-05 16:01:31 6291 TRACE nova.api.openstack KeyError: u'project_id'

  This may be a config problem on my end, but regardless this error is
  pretty obfuscated. I've tracked it down to an empty target_dict being
  passed in to _check_generic via the policy.is_admin check. It does
  directly seem to be related to my policy.json for the nova service,
  which has the following default_rule:

      "admin_or_owner":  [["role:admin"], ["project_id:%(project_id)s"]],
      "default": [["rule:admin_or_owner"]],

  Changing project_id:%(project_id)s to any other key causes that to be
  raised as the KeyError. Removing the secondary part of admin_or_owner
  causes:

  ERROR: Policy doesn't allow compute:get_instance_faults to be
  performed. (HTTP 403) (Request-ID: req-b61ab676-a9c4-4530-916b-
  73f5f33211b2)

  My full policy.json:

  {
      "admin_or_owner":  [["role:admin"], ["project_id:%(project_id)s"]],
      "default": [["rule:admin_or_owner"]],

      "compute:create": [],
      "compute:create:attach_network": [],
      "compute:create:attach_volume": [],
      "compute:get_all": [],

      "admin_api": [["role:admin"]],
      "compute_extension:accounts": [["rule:admin_api"]],
      "compute_extension:admin_actions": [["rule:admin_api"]],
      "compute_extension:admin_actions:pause": [["rule:admin_or_owner"]],
      "compute_extension:admin_actions:unpause": [["rule:admin_or_owner"]],
      "compute_extension:admin_actions:suspend": [["rule:admin_or_owner"]],
      "compute_extension:admin_actions:resume": [["rule:admin_or_owner"]],
      "compute_extension:admin_actions:lock": [["rule:admin_api"]],
      "compute_extension:admin_actions:unlock": [["rule:admin_api"]],
      "compute_extension:admin_actions:resetNetwork": [["rule:admin_api"]],
      "compute_extension:admin_actions:injectNetworkInfo": [["rule:admin_api"]],
      "compute_extension:admin_actions:createBackup": [["rule:admin_or_owner"]],
      "compute_extension:admin_actions:migrateLive": [["rule:admin_api"]],
      "compute_extension:admin_actions:migrate": [["rule:admin_api"]],
      "compute_extension:aggregates": [["rule:admin_api"]],
      "compute_extension:certificates": [],
      "compute_extension:cloudpipe": [["rule:admin_api"]],
      "compute_extension:console_output": [],
      "compute_extension:consoles": [],
      "compute_extension:createserverext": [],
      "compute_extension:deferred_delete": [],
      "compute_extension:disk_config": [],
      "compute_extension:extended_server_attributes": [["rule:admin_api"]],
      "compute_extension:extended_status": [],
      "compute_extension:flavorextradata": [],
      "compute_extension:flavorextraspecs": [],
      "compute_extension:flavormanage": [["rule:admin_api"]],
      "compute_extension:floating_ip_dns": [],
      "compute_extension:floating_ip_pools": [],
      "compute_extension:floating_ips": [],
      "compute_extension:hosts": [["rule:admin_api"]],
      "compute_extension:keypairs": [],
      "compute_extension:multinic": [],
      "compute_extension:networks": [["rule:admin_api"]],
      "compute_extension:quotas": [],
      "compute_extension:rescue": [],
      "compute_extension:security_groups": [],
      "compute_extension:server_action_list": [["rule:admin_api"]],
      "compute_extension:server_diagnostics": [["rule:admin_api"]],
      "compute_extension:simple_tenant_usage:show": [["rule:admin_or_owner"]],
      "compute_extension:simple_tenant_usage:list": [["rule:admin_api"]],
      "compute_extension:users": [["rule:admin_api"]],
      "compute_extension:virtual_interfaces": [],
      "compute_extension:virtual_storage_arrays": [],
      "compute_extension:volumes": [],
      "compute_extension:volumetypes": [],

      "volume:create": [],
      "volume:get_all": [],
      "volume:get_volume_metadata": [],
      "volume:get_snapshot": [],
      "volume:get_all_snapshots": [],

      "network:get_all_networks": [],
      "network:get_network": [],
      "network:delete_network": [],
      "network:disassociate_network": [],
      "network:get_vifs_by_instance": [],
      "network:allocate_for_instance": [],
      "network:deallocate_for_instance": [],
      "network:validate_networks": [],
      "network:get_instance_uuids_by_ip_filter": [],

      "network:get_floating_ip": [],
      "network:get_floating_ip_pools": [],
      "network:get_floating_ip_by_address": [],
      "network:get_floating_ips_by_project": [],
      "network:get_floating_ips_by_fixed_address": [],
      "network:allocate_floating_ip": [],
      "network:deallocate_floating_ip": [],
      "network:associate_floating_ip": [],
      "network:disassociate_floating_ip": [],

      "network:get_fixed_ip": [],
      "network:add_fixed_ip_to_instance": [],
      "network:remove_fixed_ip_from_instance": [],
      "network:add_network_to_project": [],
      "network:get_instance_nw_info": [],

      "network:get_dns_domains": [],
      "network:add_dns_entry": [],
      "network:modify_dns_entry": [],
      "network:delete_dns_entry": [],
      "network:get_dns_entries_by_address": [],
      "network:get_dns_entries_by_name": [],
      "network:create_private_dns_domain": [],
      "network:create_public_dns_domain": [],
      "network:delete_dns_domain": []
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1117433/+subscriptions