yahoo-eng-team team mailing list archive

Thread
Date
[Bug 2062045] Re: Domain admin is not allowed to create credentials when scope enforcement is enabled

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2062045@xxxxxxxxxxxxxxxxxx>
Date: Wed, 08 May 2024 20:28:42 -0000
Reply-to: Bug 2062045 <2062045@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Reviewed:  https://review.opendev.org/c/openstack/keystone/+/916130
Committed: https://opendev.org/openstack/keystone/commit/5ead95ffcc597517feed53170e2d2f77cdd311a1
Submitter: "Zuul (22348)"
Branch:    master

commit 5ead95ffcc597517feed53170e2d2f77cdd311a1
Author: Takashi Kajinami <kajinamit@xxxxxxxxxxxxxxx>
Date:   Thu Apr 18 03:12:19 2024 +0900

    Allow domain users to manage credentials
    
    Credentials are associated with users so there is no reason we prevent
    domain users from accessing the resources. In some services like heat
    domain admin is used to generate keystone credentials and loosing
    the scope check is required to continue supporting such use case.
    
    Closes-Bug: #2062045
    Change-Id: I140b302d879ce1cc1f8d8de9e666cc74278a977f


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2062045

Title:
  Domain admin is not allowed to create credentials when scope
  enforcement is enabled

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Currently when [oslo_policy] enforce_scope is set to True along with
  [oslo_policy] enforce_new_defaults = True, domain admins are not
  allowed to manage credentials.

  However this limitation breaks heat, because heat requires creating
  credentials, which is used by notification mechanism for example, by
  it's own stack domain admin credential.

  ```

  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: ERROR heat.engine.check_resource [None req-f3f9047b-8ac5-46f0-b8df-eafa473cb252 demo None] Unexpected exception in resource check.: keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:create_credential. (HTTP 403) (Request-ID: req-ff29e4ea-c6bc-48c5-88f4-fa4cb1893a87)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource Traceback (most recent call last):
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/opt/stack/heat/heat/engine/check_resource.py", line 311, in check
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     self._initiate_propagate_resource(cnxt, resource_id,
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/opt/stack/heat/heat/engine/check_resource.py", line 251, in _initiate_propagate_resource
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     input_data = _get_input_data(req_node, input_forward_data)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/opt/stack/heat/heat/engine/check_resource.py", line 233, in _get_input_data
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     return rsrc.node_data().as_dict()
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/opt/stack/heat/heat/engine/resource.py", line 1154, in node_data
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     self.FnGetRefId(), attribute_values,
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/opt/stack/heat/heat/engine/resource.py", line 2378, in FnGetRefId
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     return self.get_reference_id()
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/opt/stack/heat/heat/engine/resources/aws/cfn/wait_condition_handle.py", line 40, in get_reference_id
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     return str(self._get_ec2_signed_url(signal_type=wc))
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/opt/stack/heat/heat/engine/resources/wait_condition.py", line 48, in _get_ec2_signed_url
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     self)._get_ec2_signed_url(signal_type)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/opt/stack/heat/heat/engine/resources/signal_responder.py", line 138, in _get_ec2_signed_url
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     self._create_keypair()
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/opt/stack/heat/heat/engine/resources/stack_user.py", line 128, in _create_keypair
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     kp = self.keystone().create_stack_domain_user_keypair(
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/opt/stack/heat/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 551, in create_stack_domain_user_keypair
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     creds = self.domain_admin_client.credentials.create(
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/usr/local/lib/python3.10/dist-packages/keystoneclient/v3/credentials.py", line 62, in create
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     return super(CredentialManager, self).create(
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 85, in func
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     return f(*args, **new_kwargs)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 381, in create
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     return self._post(
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 191, in _post
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     resp, body = self.client.post(url, body=body, **kwargs)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 399, in post
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     return self.request(url, 'POST', **kwargs)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 552, in request
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 255, in request
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     return self.session.request(url, method, **kwargs)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource   File "/usr/local/lib/python3.10/dist-packages/keystoneauth1/session.py", line 985, in request
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource     raise exceptions.from_response(resp, method, url)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 89702 TRACE heat.engine.check_resource keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:create_credential. (HTTP 403) (Request-ID: req-ff29e4ea-c6bc-48c5-88f4-fa4cb1893a87)
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2062045/+subscriptions
References

[Bug 2062045] [NEW] Domain admin is not allowed to create credentials when scope enforcement is enabled
From: Takashi Kajinami, 2024-04-17