← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #94497

[Bug 2078518] Re: neutron designate scenario job failing with new RBAC

  Thread PreviousDate PreviousThread Next 
** Also affects: designate
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2078518

Title:
  neutron designate scenario job failing with new RBAC

Status in Designate:
  New
Status in neutron:
  New

Bug description:
  Oslo.policy 4.4.0 enabled the new RBAC defaults by default, which does
  not change any config on the neutron side because neutron already
  enabled the new defaults, but it enabled the designated new RBAC. That
  is causing the neutron-tempest-plugin-designate-scenario job failing.

  It is failing here
  - https://review.opendev.org/c/openstack/neutron/+/926085

  And this is a debugging change
  - https://review.opendev.org/c/openstack/neutron/+/926945/7

  I see from the log that the admin designate client is getting the
  error. If you see the below log, its designate_admin is getting an
  error while creating the recordset in the designate

  Aug 09 19:08:30.539307 np0038166723 neutron-server[86674]: ERROR
  neutron_lib.callbacks.manager
  designate_admin.recordsets.create(in_addr_zone_name,

  https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-
  q-svc.txt#7665

  https://github.com/openstack/neutron/blob/b847d89ac1f922362945ad610c9787bc28f37457/neutron/services/externaldns/drivers/designate/driver.py#L92

  which is caused by the GET Zone returning 403 in designateclient

  https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-q-svc.txt#7674
  I compared the designate Zone RBAC default if any change in that causing it:

  Old policy: admin or owner
  New policy: admin or project reader

  https://github.com/openstack/designate/blob/50f686fcffd007506e0cd88788a668d4f57febc3/designate/common/policies/zone.py
  Only difference in policy is if it is not admin then it check role also member and reader needs only have access. But here neutron try to access with admin role only.

  I tried to query designate with "'all_projects': True" in admin
  designate client request but still it fail

  https://zuul.opendev.org/t/openstack/build/25be97774e3a4d72a39eb6b2d2bed4a0/log/controller/logs/screen-
  q-svc.txt#7716

To manage notifications about this bug go to:
https://bugs.launchpad.net/designate/+bug/2078518/+subscriptions

References

  Thread PreviousDate PreviousThread Next