Hi Liam,

As you said, this is a known issue of the "policy.v3cloudsample.json"
policy file. The cloud_admin rule is supposed to be something like: or I
have a project scoped token for the "is_admin" project with the admin role,
or I have a domain scoped token for the specified domain with the admin
role.

Currently, we are studying the possibility to merge both files. We also
have weekly meetings focused only on policy [1].

[1] http://eavesdrop.openstack.org/#Keystone_Policy_Meeting

On Tue, Jan 24, 2017 at 9:16 AM, Liam Young <liam.yo...@canonical.com>
wrote:

> Hi,
>
> Firstly, apologies for the cross post from openstack@l.o.o but I think
> this is a more appropriate mailing list and I'd like to add some more
> information.
>
> I have been running tempest full against a Keystone v3 enabled cloud using
> the stable newton policy.v3cloudsample.json *1 and it is failing for me. I
> then checked what was happening at Keystone gate *2 and saw that the v3
> gate jobs appear to be using the old policy.json *3 which I assume is
> deprecated for v3 as granting the admin role on anything in-effect gives a
> user cloud-admin.
>
> My questions are:
> 1) Should gate be using policy.v3cloudsample.json to run v3 tests?
> 2) Should I expect a tempest full run to pass against a Newton deployment
> using policy.v3cloudsample.json ?
>
> What I'm seeing is that some tests (like 
> tempest.api.compute.admin.test_quotas)
> fail when they try and list_domains. This seems to be because the test
> creates:
>
> 1) A new project in the admin domain
> 2) A new user in the admin domain
> 3) Grants the admin role on the new project to the new user.
>
> The test then authenticates with the new users credentials and attempts to
> list_domains. The policy.json, however, has:
>
>
>     "cloud_admin": "role:admin and (token.is_admin_project:True or
> domain_id:363ab68785c24c81a784edca1bceb935)",
> ...
>     "identity:list_domains": "rule:cloud_admin",
>
> From tempest I see:
>
> ======================================================================
> FAIL: tempest.api.compute.admin.test_quotas.QuotasAdminTestJSON.test_
> delete_quota[id-389d04f0-3a41-405f-9317-e5f86e3c44f0]
> tags: worker-0
> ----------------------------------------------------------------------
> Empty attachments:
>   stderr
>   stdout
>
> pythonlogging:'': {{{2017-01-23 15:57:09,806 2014 INFO
> [tempest.lib.common.rest_client] Request 
> (QuotasAdminTestJSON:test_delete_quota):
> 403 GET http://10.5.36.109:35357/v3/domains?name=admin_domain 0.066s}}}
>
> Traceback (most recent call last):
>   File "tempest/api/compute/admin/test_quotas.py", line 128, in
> test_delete_quota
>     project = self.identity_utils.create_project(name=project_name,
>   File "tempest/test.py", line 470, in identity_utils
>     project_domain_name=domain)
>   File "tempest/lib/common/cred_client.py", line 210, in get_creds_client
>     roles_client, domains_client, project_domain_name)
>   File "tempest/lib/common/cred_client.py", line 142, in __init__
>     name=domain_name)['domains'][0]
>   File "tempest/lib/services/identity/v3/domains_client.py", line 57, in
> list_domains
>     resp, body = self.get(url)
>   File "tempest/lib/common/rest_client.py", line 290, in get
>     return self.request('GET', url, extra_headers, headers)
>   File "tempest/lib/common/rest_client.py", line 663, in request
>     self._error_checker(resp, resp_body)
>   File "tempest/lib/common/rest_client.py", line 755, in _error_checker
>     raise exceptions.Forbidden(resp_body, resp=resp)
> tempest.lib.exceptions.Forbidden: Forbidden
> Details: {u'message': u'You are not authorized to perform the requested
> action: identity:list_domains', u'code': 403, u'title': u'Forbidden'}
>
> In the keystone log I see:
>
> (keystone.policy.backends.rules): 2017-01-23 15:35:57,198 DEBUG enforce
> identity:list_domains: {'is_delegated_auth': False,
> 'access_token_id': None,
> 'user_id': u'3fd9e70825d648d996080d855cf9c181',
> 'roles': [u'Admin'],
> 'user_domain_id': u'363ab68785c24c81a784edca1bceb935',
> 'consumer_id': None,
> 'trustee_id': None,
> 'is_domain': False,
> 'trustor_id': None,
> 'token': <KeystoneToken (audit_id=4cQHEfwhSvuvibK4TAjKUw, 
> audit_chain_id=4cQHEfwhSvuvibK4TAjKUw)
> at 0x7fbcceaa33c8>,
> 'project_id': u'b48ba24e96d84de4a48077b9310faac7',
> 'trust_id': None,
> 'project_domain_id': u'363ab68785c24c81a784edca1bceb935'}
> (keystone.common.wsgi): 2017-01-23 15:35:57,199 WARNING You are not
> authorized to perform the requested action: identity:list_domains
>
> This appears to be project scoped. If I update the policy.json to grant
> cloud_admin if the project is the admin domain then that seems to fix
> things. The change I'm trying is:
>
>  3c3,4
> <     "cloud_admin": "role:admin and (token.is_admin_project:True or
> domain_id:admin_domain_id)",
> ---
> >     "bob": "project_domain_id:363ab68785c24c81a784edca1bceb935 or
> domain_id:363ab68785c24c81a784edca1bceb935",
> >     "cloud_admin": "role:admin and (token.is_admin_project:True or
> rule:bob)",
>
> I did notice this comment on Bug #1451987 *4:
>
> If you see following errors for all identity api v3 tests, then please be
> known that its not a a bug in tempest, rather you need to change keystone
> v3 policy.json and make it more relaxed so tempest can authorize with users
> created for each test with separate projects(tenants) because we set
> tenant_isolation to True in tempest.conf ...
>
> This suggests to me that it is expected for policy.json to need tweaking.
>
> Regards
> Liam
>
> *1 https://github.com/openstack/keystone/blob/stable/newton/
> etc/policy.v3cloudsample.json
> *2 http://logs.openstack.org/66/418166/10/check/gate-
> keystone-dsvm-functional-v3-only-ubuntu-xenial-nv/fc0af39/
> logs/etc/keystone/policy.json.txt.gz
> *3 https://github.com/openstack/keystone/blob/master/etc/policy.json
> *4 https://bugs.launchpad.net/tempest/+bug/1451987/comments/2
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Rodrigo Duarte Sousa
Senior Quality Engineer @ Red Hat
MSc in Computer Science
http://rodrigods.com
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to