Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: rhos-18.0.0
Affects Version/s: None
Component/s: heat-operator, keystone-operator
Labels:
- rhos-18-beta-waive

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Dev Approval:
?
Docs Approval:
?
PM Approval:
?
QE Approval:
?
Status Summary:

Hide

RHOSO18Beta waived:EDPM: day2, heat

Show
RHOSO18Beta waived: EDPM : day2, heat
Intelligence Requested:
Market:

Severity:
Important

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This was noticed when running tempest[1] tests for heat.

traceback in heat-engine logs.

2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     handler_data = handler(*args)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/heat/engine/resources/openstack/nova/server.py", line 845, in handle_create
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     self._create_transport_credentials(self.properties)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/heat/engine/resources/server_base.py", line 156, in _create_transport_credentials
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     self._create_user()
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/heat/engine/resources/stack_user.py", line 44, in _create_user
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     user_id = self.keystone().create_stack_domain_user(
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 373, in create_stack_domain_user
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     stack_user_role = self.domain_admin_client.roles.list(
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/keystoneclient/v3/roles.py", line 203, in list
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     return super(RoleManager, self).list(**kwargs)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/keystoneclient/base.py", line 86, in func
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     return f(*args, **new_kwargs)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/keystoneclient/base.py", line 448, in list
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     list_resp = self._list(url_query, self.collection_key)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/keystoneclient/base.py", line 141, in _list
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     resp, body = self.client.get(url, **kwargs)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/keystoneauth1/adapter.py", line 395, in get
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     return self.request(url, 'GET', **kwargs)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/keystoneauth1/adapter.py", line 554, in request
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/keystoneauth1/adapter.py", line 257, in request
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     return self.session.request(url, method, **kwargs)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource   File "/usr/lib/python3.9/site-packages/keystoneauth1/session.py", line 986, in request
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource     raise exceptions.from_response(resp, method, url)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_roles. (HTTP 403) (Request-ID: req-bd00494c-0e30-4593-9626-146fb5a6de99)
2024-03-21 08:34:11.237 32 ERROR heat.engine.resource [00m

traceback in keystone logs:

"identity:list_roles": "rule:admin_required or (role:reader and system_scope:all)" requires a scope of ['system', 'project'], request was made with domain scope.

The issue is, we've enabled `enforce_scope` by default and heat uses domain admin in stack domain to list roles for users. There are other issues of enforcing scope check with heat. After number of discussions upstream I think it was agreed that scope check won't be enabled by default in OpenStack.

[1]https://sf.hosted.upshift.rdu2.redhat.com/logs/99/99/2526d356824924fbe96c482bf1024e14f1b44b97/check-gitlab-cee/component-common-edpm-rhel9-rhoso18.0-crc/1b8a3a2/controller/ci-framework-data/tests/test_operator/stest

links to

openstack-k8s-operators/heat-operator#335: Create heat_stack_user role during reconcile

openstack-k8s-operators/keystone-operator#395: Enforcing scope with SRBAC breaks heat

mentioned on

Merge request - Updated US source to: d8230c2 Merge pull request #395 from rabi/enforce_scope

Assignee:: Rabi Mishra

Reporter:: Rabi Mishra

QA Contact:: David Rosenfeld

Team:: rhos-dfg-df

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: 2024/03/22 8:36 AM

Updated:: 2024/06/20 12:53 PM

Resolved:: 2024/06/20 12:53 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates

PagerDuty