yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #87319
[Bug 1945988] [NEW] [stein] Cannot get openstack role assignment list --names --system all output when all is fulfilled
Public bug reported:
I upgraded OpenStack cloud from rocky to stein and tried to setup new
policies as described in release documentation. However I cannot
retrieve some information, i.e. command defined in topic.
When executed:
openstack role assignment list --names --system all
output is:
You are not authorized to perform the requested action: identity:list_role_assignments. (HTTP 403) (Request-ID: req-6a27ecd6-7cef-41e4-8470-cf1037f383ac)
That is visible in log print: https://paste.opendev.org/show/809759/
Policy.yaml file is here: https://paste.opendev.org/show/809760/
Warning message is incorrect and says:
2021-10-04 14:20:40.378 1363 WARNING py.warnings
[req-6a27ecd6-7cef-41e4-8470-cf1037f383ac
f42df418fd404d04b9bdabf2f1b49fd9 509b380257a943b6809c4826e6be372c -
default default] /usr/lib/python3/dist-
packages/oslo_policy/policy.py:679: UserWarning: Policy
"identity:get_mapping":"rule:admin_required" was deprecated in S in
favor of "identity:list_mappings":"role:reader and system_scope:all".
Reason:
When I removed "identity:get_mapping" from policy file, warning message
is like here: https://paste.opendev.org/show/809761/
And when I setup this rule to the value proposed in warning message, I
get warning like here: https://paste.opendev.org/show/809762/
So it looks like a problem is looping and doesn't make a sense.
Besides of that it is incorrect that I cannot retrieve output from this
command, as my reader user is system all scoped and I should be able to
retrieve role assignment list.
I'm trying to get this for user jwasilewski:
openstack role assignment list --names --system all
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| admin | | Adm.Admin@Default | | | all | False |
| reader | jwasilewski@Default | | | | all | False |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
But I'm not sure why 'system_scope': None is defined in logs. Seems it
is incorrect behavior.
Keystone packages version:
dpkg -l | grep keystone
ii keystone 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Daemons
ii keystone-common 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Common files
ii python3-keystone 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Python 3 library
ii python3-keystoneauth1 3.13.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 3.x
ii python3-keystoneclient 1:3.19.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 3.x
ii python3-keystonemiddleware 6.0.0-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 3.x
OS version:
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
** Affects: keystone
Importance: Undecided
Status: New
** Tags: policy
** Description changed:
I upgraded OpenStack cloud from rocky to stein and tried to setup new
policies as described in release documentation. However I cannot
retrieve some information, i.e. command defined in topic.
When executed:
openstack role assignment list --names --system all
output is:
You are not authorized to perform the requested action: identity:list_role_assignments. (HTTP 403) (Request-ID: req-6a27ecd6-7cef-41e4-8470-cf1037f383ac)
That is visible in log print: https://paste.opendev.org/show/809759/
Policy.yaml file is here: https://paste.opendev.org/show/809760/
Warning message is incorrect and says:
2021-10-04 14:20:40.378 1363 WARNING py.warnings
[req-6a27ecd6-7cef-41e4-8470-cf1037f383ac
f42df418fd404d04b9bdabf2f1b49fd9 509b380257a943b6809c4826e6be372c -
default default] /usr/lib/python3/dist-
packages/oslo_policy/policy.py:679: UserWarning: Policy
"identity:get_mapping":"rule:admin_required" was deprecated in S in
favor of "identity:list_mappings":"role:reader and system_scope:all".
Reason:
When I removed "identity:get_mapping" from policy file, warning message
is like here: https://paste.opendev.org/show/809761/
And when I setup this rule to the value proposed in warning message, I
get warning like here: https://paste.opendev.org/show/809762/
So it looks like a problem is looping and doesn't make a sense.
Besides of that it is incorrect that I cannot retrieve output from this
command, as my reader user is system all scoped and I should be able to
retrieve role assignment list.
I'm trying to get this for user jwasilewski:
openstack role assignment list --names --system all
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| admin | | Adm.Admin@Default | | | all | False |
| reader | jwasilewski@Default | | | | all | False |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
But I'm not sure why 'system_scope': None is defined in logs. Seems it
is incorrect behavior.
+
+
+ Keystone packages version:
+ dpkg -l | grep keystone
+ ii keystone 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Daemons
+ ii keystone-common 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Common files
+ ii python3-keystone 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Python 3 library
+ ii python3-keystoneauth1 3.13.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 3.x
+ ii python3-keystoneclient 1:3.19.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 3.x
+ ii python3-keystonemiddleware 6.0.0-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 3.x
+
+ OS version:
+ cat /etc/lsb-release
+ DISTRIB_ID=Ubuntu
+ DISTRIB_RELEASE=18.04
+ DISTRIB_CODENAME=bionic
+ DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1945988
Title:
[stein] Cannot get openstack role assignment list --names --system all
output when all is fulfilled
Status in OpenStack Identity (keystone):
New
Bug description:
I upgraded OpenStack cloud from rocky to stein and tried to setup new
policies as described in release documentation. However I cannot
retrieve some information, i.e. command defined in topic.
When executed:
openstack role assignment list --names --system all
output is:
You are not authorized to perform the requested action: identity:list_role_assignments. (HTTP 403) (Request-ID: req-6a27ecd6-7cef-41e4-8470-cf1037f383ac)
That is visible in log print: https://paste.opendev.org/show/809759/
Policy.yaml file is here: https://paste.opendev.org/show/809760/
Warning message is incorrect and says:
2021-10-04 14:20:40.378 1363 WARNING py.warnings
[req-6a27ecd6-7cef-41e4-8470-cf1037f383ac
f42df418fd404d04b9bdabf2f1b49fd9 509b380257a943b6809c4826e6be372c -
default default] /usr/lib/python3/dist-
packages/oslo_policy/policy.py:679: UserWarning: Policy
"identity:get_mapping":"rule:admin_required" was deprecated in S in
favor of "identity:list_mappings":"role:reader and system_scope:all".
Reason:
When I removed "identity:get_mapping" from policy file, warning
message is like here: https://paste.opendev.org/show/809761/
And when I setup this rule to the value proposed in warning message, I
get warning like here: https://paste.opendev.org/show/809762/
So it looks like a problem is looping and doesn't make a sense.
Besides of that it is incorrect that I cannot retrieve output from
this command, as my reader user is system all scoped and I should be
able to retrieve role assignment list.
I'm trying to get this for user jwasilewski:
openstack role assignment list --names --system all
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| admin | | Adm.Admin@Default | | | all | False |
| reader | jwasilewski@Default | | | | all | False |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
But I'm not sure why 'system_scope': None is defined in logs. Seems it
is incorrect behavior.
Keystone packages version:
dpkg -l | grep keystone
ii keystone 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Daemons
ii keystone-common 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Common files
ii python3-keystone 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Python 3 library
ii python3-keystoneauth1 3.13.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 3.x
ii python3-keystoneclient 1:3.19.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 3.x
ii python3-keystonemiddleware 6.0.0-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 3.x
OS version:
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1945988/+subscriptions
