yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #94516
[Bug 2078518] Re: neutron designate scenario job failing with new RBAC
Reviewed: https://review.opendev.org/c/openstack/designate/+/927792
Committed: https://opendev.org/openstack/designate/commit/4388f00d267c4090b7de6bc94da9e2970abdf0cc
Submitter: "Zuul (22348)"
Branch: master
commit 4388f00d267c4090b7de6bc94da9e2970abdf0cc
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date: Tue Sep 3 10:49:04 2024 +0200
Add "admin" role to the designate user created by devstack plugin
Service user with name "designate" had only "service" role up to now but
it seems that with oslo.policy 4.4.0 where "enforce_new_defaults" is set
to True by default, this breaks integration between Neutron and
Designate as e.g. Neutron's creation of the recordset fails with
Forbidden exception as this seems to be allowed only for admin user or
shared or primary zone.
This patch adds also "admin" role for this "designate" service user to
workaround that issue, at least until Designate will support "service"
role usage with Secure RBAC policies.
Closes-Bug: #2078518
Change-Id: I477cc96519e7396a614f92d109867222207ec388
** Changed in: designate
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2078518
Title:
neutron designate scenario job failing with new RBAC
Status in Designate:
Fix Released
Status in neutron:
Invalid
Bug description:
Oslo.policy 4.4.0 enabled the new RBAC defaults by default, which does
not change any config on the neutron side because neutron already
enabled the new defaults, but it enabled the designated new RBAC. That
is causing the neutron-tempest-plugin-designate-scenario job failing.
It is failing here
- https://review.opendev.org/c/openstack/neutron/+/926085
And this is a debugging change
- https://review.opendev.org/c/openstack/neutron/+/926945/7
I see from the log that the admin designate client is getting the
error. If you see the below log, its designate_admin is getting an
error while creating the recordset in the designate
Aug 09 19:08:30.539307 np0038166723 neutron-server[86674]: ERROR
neutron_lib.callbacks.manager
designate_admin.recordsets.create(in_addr_zone_name,
https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-
q-svc.txt#7665
https://github.com/openstack/neutron/blob/b847d89ac1f922362945ad610c9787bc28f37457/neutron/services/externaldns/drivers/designate/driver.py#L92
which is caused by the GET Zone returning 403 in designateclient
https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-q-svc.txt#7674
I compared the designate Zone RBAC default if any change in that causing it:
Old policy: admin or owner
New policy: admin or project reader
https://github.com/openstack/designate/blob/50f686fcffd007506e0cd88788a668d4f57febc3/designate/common/policies/zone.py
Only difference in policy is if it is not admin then it check role also member and reader needs only have access. But here neutron try to access with admin role only.
I tried to query designate with "'all_projects': True" in admin
designate client request but still it fail
https://zuul.opendev.org/t/openstack/build/25be97774e3a4d72a39eb6b2d2bed4a0/log/controller/logs/screen-
q-svc.txt#7716
To manage notifications about this bug go to:
https://bugs.launchpad.net/designate/+bug/2078518/+subscriptions
References
