yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #86297
[Bug 1850656] Re: Deploy will fail if keystone.conf has '[oslo_policy]/enforce_scope=true'
Hello,
this affect kolla-ansible/wallaby, too.
** Also affects: wallaby
Importance: Undecided
Status: New
** No longer affects: wallaby
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1850656
Title:
Deploy will fail if keystone.conf has
'[oslo_policy]/enforce_scope=true'
Status in OpenStack Identity (keystone):
Invalid
Status in kolla-ansible:
In Progress
Status in kolla-ansible train series:
Won't Fix
Status in kolla-ansible ussuri series:
Won't Fix
Status in kolla-ansible victoria series:
In Progress
Bug description:
In current Kolla master (train) keystone permission system has not
been adapted to the new scope thinking.
$ cat /etc/kolla/config/keystone/keystone.conf
[oslo_policy]
enforce_scope = True
$ kolla-ansible -i multinode deploy
...
TASK [service-ks-register : keystone | Creating services] ************************************************************************************
...
failed: [control1.example.com -> control1.example.com] (item={u'service_type': u'identity', u'name': u'keystone'}) => {"action": "os_keystone_service", "ansible_loop_var": "item", "attempts": 5, "changed": false, "item": {"description": "Openstack Identity Service", "endpoints": [{"interface": "admin", "url": "http://vip.example.com:35357"}, {"interface": "internal", "url": "http://vip.example.com:5000"}, {"interface": "public", "url": "https://openstack.example.com:5000"}], "name": "keystone", "type": "identity"}, "msg": "Failed to list services: Client Error for url: http://vip.example.com:35357/v3/services, You are not authorized to perform the requested action: identity:list_services."}
== https://docs.openstack.org/releasenotes/keystone/en_GB/train.html ==
This release leverages oslo.policy’s policy-in-code feature to modify the default check strings and scope types for nearly all of keystone’s API policies. These changes make the policies more precise than they were before, using the reader, member, and admin roles where previously only the admin role and a catch-all rule was available. The changes also take advantage of system, domain, and project scope, allowing you to create role assignments for your users that are appropriate to the actions they need to perform. Eventually this will allow you to set [oslo_policy]/enforce_scope=true in your keystone configuration, which simplifies access control management by ensuring that oslo.policy checks both the role and the scope on API requests.
[bug 1806762] [bug 1630434] The entire policy.v3cloudsample.json file
has been removed. If you were using this policy file to supply
overrides in your deployment, you should consider using the defaults
in code and setting keystone.conf [oslo_policy] enforce_scope=True.
The new policy defaults are more flexible, they’re tested extensively,
and they solve all the problems the policy.v3cloudsample.json file was
trying to solve.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1850656/+subscriptions