-
Bug
-
Resolution: Done
-
Major
-
None
-
False
-
-
False
-
?
-
?
-
?
-
?
-
-
-
-
Important
This was noticed when running tempest[1] tests for heat.
traceback in heat-engine logs.
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource handler_data = handler(*args) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/heat/engine/resources/openstack/nova/server.py", line 845, in handle_create 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource self._create_transport_credentials(self.properties) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/heat/engine/resources/server_base.py", line 156, in _create_transport_credentials 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource self._create_user() 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/heat/engine/resources/stack_user.py", line 44, in _create_user 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource user_id = self.keystone().create_stack_domain_user( 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 373, in create_stack_domain_user 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource stack_user_role = self.domain_admin_client.roles.list( 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/keystoneclient/v3/roles.py", line 203, in list 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource return super(RoleManager, self).list(**kwargs) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/keystoneclient/base.py", line 86, in func 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource return f(*args, **new_kwargs) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/keystoneclient/base.py", line 448, in list 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource list_resp = self._list(url_query, self.collection_key) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/keystoneclient/base.py", line 141, in _list 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource resp, body = self.client.get(url, **kwargs) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/keystoneauth1/adapter.py", line 395, in get 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource return self.request(url, 'GET', **kwargs) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/keystoneauth1/adapter.py", line 554, in request 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource resp = super(LegacyJsonAdapter, self).request(*args, **kwargs) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/keystoneauth1/adapter.py", line 257, in request 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource return self.session.request(url, method, **kwargs) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource File "/usr/lib/python3.9/site-packages/keystoneauth1/session.py", line 986, in request 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource raise exceptions.from_response(resp, method, url) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_roles. (HTTP 403) (Request-ID: req-bd00494c-0e30-4593-9626-146fb5a6de99) 2024-03-21 08:34:11.237 32 ERROR heat.engine.resource [00m
traceback in keystone logs:
"identity:list_roles": "rule:admin_required or (role:reader and system_scope:all)" requires a scope of ['system', 'project'], request was made with domain scope.
The issue is, we've enabled `enforce_scope` by default and heat uses domain admin in stack domain to list roles for users. There are other issues of enforcing scope check with heat. After number of discussions upstream I think it was agreed that scope check won't be enabled by default in OpenStack.
[1]https://sf.hosted.upshift.rdu2.redhat.com/logs/99/99/2526d356824924fbe96c482bf1024e14f1b44b97/check-gitlab-cee/component-common-edpm-rhel9-rhoso18.0-crc/1b8a3a2/controller/ci-framework-data/tests/test_operator/stest