yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #80567
[Bug 1850656] Re: Deploy will fail if keystone.conf has '[oslo_policy]/enforce_scope=true'
So trying to get auth not scoped to a project but domain instead, I get this:
failed: [primary] (item={u'service_type': u'identity', u'name': u'keystone'}) => {
"action": "os_keystone_service",
"attempts": 5,
"changed": false,
"invocation": {
"module_args": {
"api_version": "auto",
"module_args": {
"auth": {
"auth_url": "http://192.0.2.10:35357";,
"domain_name": "default",
"password": "9PJVm6kJI1k00JgNzhXpRAosMAXBkIqSSmDYDwR3",
"user_domain_name": "default",
"username": "admin"
},
"cacert": "",
"description": "Openstack Identity Service",
"interface": "admin",
"name": "keystone",
"region_name": "RegionOne",
"service_type": "identity"
},
"module_extra_vars": null,
"module_name": "os_keystone_service",
"timeout": 180,
"user": null
}
},
"item": {
"description": "Openstack Identity Service",
"endpoints": [
{
"interface": "admin",
"url": "http://192.0.2.10:35357";
},
{
"interface": "internal",
"url": "http://192.0.2.10:5000";
},
{
"interface": "public",
"url": "http://192.0.2.10:5000";
}
],
"name": "keystone",
"type": "identity"
},
"module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible-tmp-1572531912.06-54869509402289/AnsiballZ_os_keystone_service.py\", line 114, in <module>\n _ansiballz_main()\n File \"/tmp/ansible-tmp-1572531912.06-54869509402289/AnsiballZ_os_keystone_service.py\", line 106, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/tmp/ansible-tmp-1572531912.06-54869509402289/AnsiballZ_os_keystone_service.py\", line 49, in invoke_module\n imp.load_module('__main__', mod, module, MOD_DESC)\n File \"/tmp/ansible_os_keystone_service_payload_RpqMjI/__main__.py\", line 194, in <module>\n File \"/tmp/ansible_os_keystone_service_payload_RpqMjI/__main__.py\", line 153, in main\n File \"/opt/ansible/lib/python2.7/site-packages/openstack/cloud/_identity.py\", line 510, in search_services\n services = self.list_services()\n File \"/opt/ansible/lib/python2.7/site-packages/openstack/cloud/_identity.py\", line 485, in list_services\n if self._is_client_version('identity', 2):\n File \"/opt/ansible/lib/python2.7/site-packages/openstack/cloud/openstackcloud.py\", line 459, in _is_client_version\n client = getattr(self, client_name)\n File \"/opt/ansible/lib/python2.7/site-packages/openstack/cloud/_identity.py\", line 32, in _identity_client\n 'identity', min_version=2, max_version='3.latest')\n File \"/opt/ansible/lib/python2.7/site-packages/openstack/cloud/openstackcloud.py\", line 422, in _get_versioned_client\n endpoint_override=self.config.get_endpoint(service_type))\n File \"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/adapter.py\", line 345, in get_api_major_version\n return self.session.get_api_major_version(auth or self.auth, **kwargs)\n File \"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/session.py\", line 1233, in get_api_major_version\n return auth.get_api_major_version(self, **kwargs)\n File \"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/identity/base.py\", line 500, in get_api_major_version\n data = get_endpoint_data(discover_versions=discover_versions)\n File \"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/identity/base.py\", line 271, in get_endpoint_data\n service_catalog = self.get_access(session).service_catalog\n File \"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/identity/base.py\", line 134, in get_access\n self.auth_ref = self.get_auth_ref(session)\n File \"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/identity/generic/base.py\", line 208, in get_auth_ref\n return self._plugin.get_auth_ref(session, **kwargs)\n File \"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py\", line 184, in get_auth_ref\n authenticated=False, log=False, **rkwargs)\n File \"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/session.py\", line 1106, in post\n return self.request(url, 'POST', **kwargs)\n File \"/opt/ansible/lib/python2.7/site-packages/keystoneauth1/session.py\", line 943, in request\n raise exceptions.from_response(resp, method, url)\nkeystoneauth1.exceptions.http.Unauthorized: The request you have made requires authentication. (HTTP 401) (Request-ID: req-2eed28d1-00fd-4878-8acc-9d5eee838a93)\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
I have a bad feeling this client is unable to handle the new stricter
situation.
** Also affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1850656
Title:
Deploy will fail if keystone.conf has
'[oslo_policy]/enforce_scope=true'
Status in OpenStack Identity (keystone):
New
Status in kolla-ansible:
In Progress
Status in kolla-ansible train series:
In Progress
Bug description:
In current Kolla master (train) keystone permission system has not
been adapted to the new scope thinking.
$ cat /etc/kolla/config/keystone/keystone.conf
[oslo_policy]
enforce_scope = True
$ kolla-ansible -i multinode deploy
...
TASK [service-ks-register : keystone | Creating services] ************************************************************************************
...
failed: [control1.example.com -> control1.example.com] (item={u'service_type': u'identity', u'name': u'keystone'}) => {"action": "os_keystone_service", "ansible_loop_var": "item", "attempts": 5, "changed": false, "item": {"description": "Openstack Identity Service", "endpoints": [{"interface": "admin", "url": "http://vip.example.com:35357"}, {"interface": "internal", "url": "http://vip.example.com:5000"}, {"interface": "public", "url": "https://openstack.example.com:5000"}], "name": "keystone", "type": "identity"}, "msg": "Failed to list services: Client Error for url: http://vip.example.com:35357/v3/services, You are not authorized to perform the requested action: identity:list_services."}
== https://docs.openstack.org/releasenotes/keystone/en_GB/train.html ==
This release leverages oslo.policy’s policy-in-code feature to modify the default check strings and scope types for nearly all of keystone’s API policies. These changes make the policies more precise than they were before, using the reader, member, and admin roles where previously only the admin role and a catch-all rule was available. The changes also take advantage of system, domain, and project scope, allowing you to create role assignments for your users that are appropriate to the actions they need to perform. Eventually this will allow you to set [oslo_policy]/enforce_scope=true in your keystone configuration, which simplifies access control management by ensuring that oslo.policy checks both the role and the scope on API requests.
[bug 1806762] [bug 1630434] The entire policy.v3cloudsample.json file
has been removed. If you were using this policy file to supply
overrides in your deployment, you should consider using the defaults
in code and setting keystone.conf [oslo_policy] enforce_scope=True.
The new policy defaults are more flexible, they’re tested extensively,
and they solve all the problems the policy.v3cloudsample.json file was
trying to solve.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1850656/+subscriptions
