osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[mistral] cron triggers execution fails on identity:validate_token with non-admin users


Hi Sa Pham


Yes this is the good one.

Bo Tran pointed it to me yesterday as well and it fixed the issue.

See also: https://bugs.launchpad.net/mistral/+bug/1843175

Many Thanks to both of you !


Best Regards

Francois Scheurer




On 9/13/19 3:23 PM, Sa Pham wrote:
> Hi Francois,
>
> You can try this patch: https://review.opendev.org/#/c/680858/
>
> Sa Pham
>
> On Thu, Sep 12, 2019 at 11:49 PM Francois Scheurer 
> <francois.scheurer at everyware.ch 
> <mailto:francois.scheurer at everyware.ch>> wrote:
>
>     Hello
>
>
>
>     Apparently other people have the same issue and cannot use cron
>     triggers anymore:
>
>     https://bugs.launchpad.net/mistral/+bug/1843175
>
>
>     We also tried with following patch installed but the same error
>     persists:
>
>     https://opendev.org/openstack/mistral/commit/6102c5251e29c1efe73c92935a051feff0f649c7?style=split
>
>
>
>     Cheers
>
>     Francois
>
>
>
>
>     On 9/9/19 6:23 PM, Francois Scheurer wrote:
>>
>>     Dear All
>>
>>
>>     We are using Mistral 7.0.1.1 with  Openstack Rocky. (with
>>     federated users)
>>
>>     We can create and execute a workflow via horizon, but cron
>>     triggers always fail with this error:
>>
>>         {
>>             "result":
>>                 "The action raised an exception [
>>     action_ex_id=ef878c48-d0ad-4564-9b7e-a06f07a70ded,
>>                         action_cls='<class
>>     'mistral.actions.action_factory.NovaAction'>',
>>                         attributes='{u'client_method_name':
>>     u'servers.find'}',
>>                         params='{
>>                             u'action_region': u'ch-zh1',
>>                             u'name':
>>     u'42724489-1912-44d1-9a59-6c7a4bebebfa'
>>                         }'
>>                     ]
>>                     \n NovaAction.servers.find failed: You are not
>>     authorized to perform the requested action:
>>     identity:validate_token. (HTTP 403) (Request-ID:
>>     req-ec1aea36-c198-4307-bf01-58aca74fad33)
>>                 "
>>         }
>>
>>     Adding the role *admin* or *service* to the user logged in
>>     horizon is "fixing" the issue, I mean that the cron trigger then
>>     works as expected,
>>
>>     but it would be obviously a bad idea to do this for all normal
>>     users ;-)
>>
>>     So my question: is it a config problem on our side ? is it a
>>     known bug? or is it a feature in the sense that cron triggers are
>>     for normal users?
>>
>>
>>     After digging in the keystone debug logs (see at the end below),
>>     I found that RBAC check identity:validate_token an deny the
>>     authorization.
>>
>>     But according to the policy.json (in keystone and in horizon),
>>     rule:owner should be enough to grant it...:
>>
>>                 "identity:validate_token": "rule:service_admin_or_owner",
>>                     "service_admin_or_owner": "rule:service_or_admin
>>     or rule:owner",
>>                         "service_or_admin": "rule:admin_required or
>>     rule:service_role",
>>                             "service_role": "role:service",
>>                         "owner": "user_id:%(user_id)s or
>>     user_id:%(target.token.user_id)s",
>>
>>     Thank you in advance for your help.
>>
>>
>>     Best Regards
>>
>>     Francois Scheurer
>>
>>
>>
>>
>>     Keystone logs:
>>
>>             2019-09-05 09:38:00.902 29 DEBUG
>>     keystone.policy.backends.rules
>>     [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject -
>>     testdom testdom]
>>                 enforce identity:validate_token:
>>                 {
>>                    'service_project_id':None,
>>                    'service_user_id':None,
>>                    'service_user_domain_id':None,
>>                    'service_project_domain_id':None,
>>                    'trustor_id':None,
>>                    'user_domain_id':u'testdom',
>>                    'domain_id':None,
>>                    'trust_id':u'mytrustid',
>>                    'project_domain_id':u'testdom',
>>                    'service_roles':[],
>>                    'group_ids':[],
>>                    'user_id':u'fsc',
>>                    'roles':[
>>                       u'_member_',
>>                       u'creator',
>>                       u'reader',
>>                       u'heat_stack_owner',
>>                       u'member',
>>                       u'load-balancer_member'],
>>                    'system_scope':None,
>>                    'trustee_id':None,
>>                    'domain_name':None,
>>                    'is_admin_project':True,
>>                    'token':<TokenModel
>>     (audit_id=0LAsW_0dQMWXh2cTZTLcWA,
>>     audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at 0x7f208f4a3bd0>,
>>                    'project_id':u'fscproject'
>>                 } enforce
>>     /var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33
>>             2019-09-05 09:38:00.920 29 WARNING keystone.common.wsgi
>>     [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject -
>>     testdom testdom]
>>                 You are not authorized to perform the requested
>>     action: identity:validate_token.: *ForbiddenAction: You are not
>>     authorized to perform the requested action: identity:validate_token.*
>>
>>
>>     -- 
>>
>>
>>     EveryWare AG
>>     François Scheurer
>>     Senior Systems Engineer
>>     Zurlindenstrasse 52a
>>     CH-8003 Zürich
>>
>>     tel: +41 44 466 60 00
>>     fax: +41 44 466 60 10
>>     mail:francois.scheurer at everyware.ch  <mailto:francois.scheurer at everyware.ch>
>>     web:http://www.everyware.ch  
>
>     -- 
>
>
>     EveryWare AG
>     François Scheurer
>     Senior Systems Engineer
>     Zurlindenstrasse 52a
>     CH-8003 Zürich
>
>     tel: +41 44 466 60 00
>     fax: +41 44 466 60 10
>     mail:francois.scheurer at everyware.ch  <mailto:francois.scheurer at everyware.ch>
>     web:http://www.everyware.ch  
>
>
>
> -- 
> Sa Pham Dang
> Master Student - Soongsil University
> Kakaotalk: sapd95
> Skype: great_bn
>
>
-- 


EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: francois.scheurer at everyware.ch
web: http://www.everyware.ch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190913/8ad1330e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5230 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190913/8ad1330e/attachment-0001.bin>