yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88151
[Bug 1959196] [NEW] New Secure RBAC policies broke devstack-enforce-scope job
Public bug reported:
After patch https://review.opendev.org/c/openstack/neutron/+/821208 was merged job devstack-enforce-scope is broken.
Failure example: https://5764001d47a5e80d3ade-02618f010e74d581319c83aa0d27e1a8.ssl.cf2.rackcdn.com/825920/2/gate/devstack-enforce-scope/bbedfce/controller/logs/devstacklog.txt
Error in Neutron:
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation [None req-4c4da8bd-be81-47ae-b700-f68b7f1a68d0 None admin] POST failed.: oslo_policy.policy.InvalidScope: rule:get_subnetpool requires a scope of ['project'], request was made with system scope.
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation Traceback (most recent call last):
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/pecan_wsgi/hooks/policy_enforcement.py", line 134, in before
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation policy.enforce(
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 524, in enforce
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation LOG.debug("Failed policy check for '%s'", action)
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_utils/excutils.py", line 227, in __exit__
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation self.force_reraise()
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation raise self.value
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 519, in enforce
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation result = _ENFORCER.enforce(rule, target, context, action=action,
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_policy/policy.py", line 1084, in enforce
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation raise PolicyNotAuthorized(rule, target, creds)
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation oslo_policy.policy.PolicyNotAuthorized: ((rule:create_subnetpool and rule:create_subnetpool:is_default) and rule:create_subnetpool:shared) is disallowed by policy
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation During handling of the above exception, another exception occurred:
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation Traceback (most recent call last):
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 692, in __call__
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation controller, args, kwargs = self.find_controller(state)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 870, in find_controller
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation controller, args, kw = super(Pecan, self).find_controller(_state)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 560, in find_controller
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation self.handle_hooks(self.determine_hooks(controller), 'before', state)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 877, in handle_hooks
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation return super(Pecan, self).handle_hooks(hooks, *args, **kw)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 342, in handle_hooks
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation result = getattr(hook, hook_type)(*args)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/pecan_wsgi/hooks/policy_enforcement.py", line 144, in before
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation if not policy.check(neutron_context, s_action, item,
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 486, in check
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation result = _ENFORCER.enforce(match_rule,
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_policy/policy.py", line 1045, in enforce
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation self._enforce_scope(creds, rule)
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_policy/policy.py", line 1102, in _enforce_scope
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation raise InvalidScope(
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation oslo_policy.policy.InvalidScope: rule:get_subnetpool requires a scope of ['project'], request was made with system scope.
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation
** Affects: neutron
Importance: Critical
Assignee: Slawek Kaplonski (slaweq)
Status: Confirmed
** Tags: gate-failure
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1959196
Title:
New Secure RBAC policies broke devstack-enforce-scope job
Status in neutron:
Confirmed
Bug description:
After patch https://review.opendev.org/c/openstack/neutron/+/821208 was merged job devstack-enforce-scope is broken.
Failure example: https://5764001d47a5e80d3ade-02618f010e74d581319c83aa0d27e1a8.ssl.cf2.rackcdn.com/825920/2/gate/devstack-enforce-scope/bbedfce/controller/logs/devstacklog.txt
Error in Neutron:
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation [None req-4c4da8bd-be81-47ae-b700-f68b7f1a68d0 None admin] POST failed.: oslo_policy.policy.InvalidScope: rule:get_subnetpool requires a scope of ['project'], request was made with system scope.
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation Traceback (most recent call last):
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/pecan_wsgi/hooks/policy_enforcement.py", line 134, in before
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation policy.enforce(
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 524, in enforce
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation LOG.debug("Failed policy check for '%s'", action)
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_utils/excutils.py", line 227, in __exit__
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation self.force_reraise()
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation raise self.value
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 519, in enforce
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation result = _ENFORCER.enforce(rule, target, context, action=action,
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_policy/policy.py", line 1084, in enforce
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation raise PolicyNotAuthorized(rule, target, creds)
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation oslo_policy.policy.PolicyNotAuthorized: ((rule:create_subnetpool and rule:create_subnetpool:is_default) and rule:create_subnetpool:shared) is disallowed by policy
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation During handling of the above exception, another exception occurred:
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation Traceback (most recent call last):
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 692, in __call__
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation controller, args, kwargs = self.find_controller(state)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 870, in find_controller
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation controller, args, kw = super(Pecan, self).find_controller(_state)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 560, in find_controller
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation self.handle_hooks(self.determine_hooks(controller), 'before', state)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 877, in handle_hooks
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation return super(Pecan, self).handle_hooks(hooks, *args, **kw)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 342, in handle_hooks
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation result = getattr(hook, hook_type)(*args)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/pecan_wsgi/hooks/policy_enforcement.py", line 144, in before
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation if not policy.check(neutron_context, s_action, item,
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 486, in check
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation result = _ENFORCER.enforce(match_rule,
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_policy/policy.py", line 1045, in enforce
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation self._enforce_scope(creds, rule)
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_policy/policy.py", line 1102, in _enforce_scope
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation raise InvalidScope(
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation oslo_policy.policy.InvalidScope: rule:get_subnetpool requires a scope of ['project'], request was made with system scope.
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1959196/+subscriptions
Follow ups
