yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1850656] Re: Deploy will fail if keystone.conf has '[oslo_policy]/enforce_scope=true'

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Colleen Murphy <colleen@xxxxxxxxxxx>
Date: Thu, 31 Oct 2019 18:17:02 -0000
Reply-to: Bug 1850656 <1850656@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
> It either ends up having Client Error with admin-project-scoped auth
or 401 with supposedly defalt-domain-scoped auth.

The scope_type for identity:create_endpoint is "system":
https://docs.openstack.org/keystone/latest/configuration/policy.html

So neither a project- nor domain-scoped token will be usable with this
policy if enforce_scope is set to true. You either need a system-scoped
token or you need to set enforce_scope=false (which is the default).

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1850656

Title:
  Deploy will fail if keystone.conf has
  '[oslo_policy]/enforce_scope=true'

Status in OpenStack Identity (keystone):
  Invalid
Status in kolla-ansible:
  In Progress
Status in kolla-ansible train series:
  In Progress

Bug description:
  In current Kolla master (train) keystone permission system has not
  been adapted to the new scope thinking.

  $ cat /etc/kolla/config/keystone/keystone.conf 
  [oslo_policy]
  enforce_scope = True

  $ kolla-ansible -i multinode deploy
  ...
  TASK [service-ks-register : keystone | Creating services] ************************************************************************************
  ...
  failed: [control1.example.com -> control1.example.com] (item={u'service_type': u'identity', u'name': u'keystone'}) => {"action": "os_keystone_service", "ansible_loop_var": "item", "attempts": 5, "changed": false, "item": {"description": "Openstack Identity Service", "endpoints": [{"interface": "admin", "url": "http://vip.example.com:35357"}, {"interface": "internal", "url": "http://vip.example.com:5000"}, {"interface": "public", "url": "https://openstack.example.com:5000"}], "name": "keystone", "type": "identity"}, "msg": "Failed to list services: Client Error for url: http://vip.example.com:35357/v3/services, You are not authorized to perform the requested action: identity:list_services."}


  == https://docs.openstack.org/releasenotes/keystone/en_GB/train.html ==
  This release leverages oslo.policy’s policy-in-code feature to modify the default check strings and scope types for nearly all of keystone’s API policies. These changes make the policies more precise than they were before, using the reader, member, and admin roles where previously only the admin role and a catch-all rule was available. The changes also take advantage of system, domain, and project scope, allowing you to create role assignments for your users that are appropriate to the actions they need to perform. Eventually this will allow you to set [oslo_policy]/enforce_scope=true in your keystone configuration, which simplifies access control management by ensuring that oslo.policy checks both the role and the scope on API requests.

  [bug 1806762] [bug 1630434] The entire policy.v3cloudsample.json file
  has been removed. If you were using this policy file to supply
  overrides in your deployment, you should consider using the defaults
  in code and setting keystone.conf [oslo_policy] enforce_scope=True.
  The new policy defaults are more flexible, they’re tested extensively,
  and they solve all the problems the policy.v3cloudsample.json file was
  trying to solve.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1850656/+subscriptions