← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #94496

[Bug 2078518] [NEW] neutron designate scenario job failing with new RBAC

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Oslo.policy 4.4.0 enabled the new RBAC defaults by default, which does
not change any config on the neutron side because neutron already
enabled the new defaults, but it enabled the designated new RBAC. That
is causing the neutron-tempest-plugin-designate-scenario job failing.

It is failing here
- https://review.opendev.org/c/openstack/neutron/+/926085

And this is a debugging change
- https://review.opendev.org/c/openstack/neutron/+/926945/7

I see from the log that the admin designate client is getting the error.
If you see the below log, its designate_admin is getting an error while
creating the recordset in the designate

Aug 09 19:08:30.539307 np0038166723 neutron-server[86674]: ERROR
neutron_lib.callbacks.manager
designate_admin.recordsets.create(in_addr_zone_name,

https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-
q-svc.txt#7665

https://github.com/openstack/neutron/blob/b847d89ac1f922362945ad610c9787bc28f37457/neutron/services/externaldns/drivers/designate/driver.py#L92

which is caused by the GET Zone returning 403 in designateclient

https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-q-svc.txt#7674
I compared the designate Zone RBAC default if any change in that causing it:

Old policy: admin or owner
New policy: admin or project reader

https://github.com/openstack/designate/blob/50f686fcffd007506e0cd88788a668d4f57febc3/designate/common/policies/zone.py
Only difference in policy is if it is not admin then it check role also member and reader needs only have access. But here neutron try to access with admin role only.

I tried to query designate with "'all_projects': True" in admin
designate client request but still it fail

https://zuul.opendev.org/t/openstack/build/25be97774e3a4d72a39eb6b2d2bed4a0/log/controller/logs/screen-
q-svc.txt#7716

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2078518

Title:
  neutron designate scenario job failing with new RBAC

Status in neutron:
  New

Bug description:
  Oslo.policy 4.4.0 enabled the new RBAC defaults by default, which does
  not change any config on the neutron side because neutron already
  enabled the new defaults, but it enabled the designated new RBAC. That
  is causing the neutron-tempest-plugin-designate-scenario job failing.

  It is failing here
  - https://review.opendev.org/c/openstack/neutron/+/926085

  And this is a debugging change
  - https://review.opendev.org/c/openstack/neutron/+/926945/7

  I see from the log that the admin designate client is getting the
  error. If you see the below log, its designate_admin is getting an
  error while creating the recordset in the designate

  Aug 09 19:08:30.539307 np0038166723 neutron-server[86674]: ERROR
  neutron_lib.callbacks.manager
  designate_admin.recordsets.create(in_addr_zone_name,

  https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-
  q-svc.txt#7665

  https://github.com/openstack/neutron/blob/b847d89ac1f922362945ad610c9787bc28f37457/neutron/services/externaldns/drivers/designate/driver.py#L92

  which is caused by the GET Zone returning 403 in designateclient

  https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-q-svc.txt#7674
  I compared the designate Zone RBAC default if any change in that causing it:

  Old policy: admin or owner
  New policy: admin or project reader

  https://github.com/openstack/designate/blob/50f686fcffd007506e0cd88788a668d4f57febc3/designate/common/policies/zone.py
  Only difference in policy is if it is not admin then it check role also member and reader needs only have access. But here neutron try to access with admin role only.

  I tried to query designate with "'all_projects': True" in admin
  designate client request but still it fail

  https://zuul.opendev.org/t/openstack/build/25be97774e3a4d72a39eb6b2d2bed4a0/log/controller/logs/screen-
  q-svc.txt#7716

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2078518/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next