Hi Liam, As you said, this is a known issue of the "policy.v3cloudsample.json" policy file. The cloud_admin rule is supposed to be something like: or I have a project scoped token for the "is_admin" project with the admin role, or I have a domain scoped token for the specified domain with the admin role.
Currently, we are studying the possibility to merge both files. We also have weekly meetings focused only on policy [1]. [1] http://eavesdrop.openstack.org/#Keystone_Policy_Meeting On Tue, Jan 24, 2017 at 9:16 AM, Liam Young <liam.yo...@canonical.com> wrote: > Hi, > > Firstly, apologies for the cross post from openstack@l.o.o but I think > this is a more appropriate mailing list and I'd like to add some more > information. > > I have been running tempest full against a Keystone v3 enabled cloud using > the stable newton policy.v3cloudsample.json *1 and it is failing for me. I > then checked what was happening at Keystone gate *2 and saw that the v3 > gate jobs appear to be using the old policy.json *3 which I assume is > deprecated for v3 as granting the admin role on anything in-effect gives a > user cloud-admin. > > My questions are: > 1) Should gate be using policy.v3cloudsample.json to run v3 tests? > 2) Should I expect a tempest full run to pass against a Newton deployment > using policy.v3cloudsample.json ? > > What I'm seeing is that some tests (like > tempest.api.compute.admin.test_quotas) > fail when they try and list_domains. This seems to be because the test > creates: > > 1) A new project in the admin domain > 2) A new user in the admin domain > 3) Grants the admin role on the new project to the new user. > > The test then authenticates with the new users credentials and attempts to > list_domains. The policy.json, however, has: > > > "cloud_admin": "role:admin and (token.is_admin_project:True or > domain_id:363ab68785c24c81a784edca1bceb935)", > ... > "identity:list_domains": "rule:cloud_admin", > > From tempest I see: > > ====================================================================== > FAIL: tempest.api.compute.admin.test_quotas.QuotasAdminTestJSON.test_ > delete_quota[id-389d04f0-3a41-405f-9317-e5f86e3c44f0] > tags: worker-0 > ---------------------------------------------------------------------- > Empty attachments: > stderr > stdout > > pythonlogging:'': {{{2017-01-23 15:57:09,806 2014 INFO > [tempest.lib.common.rest_client] Request > (QuotasAdminTestJSON:test_delete_quota): > 403 GET http://10.5.36.109:35357/v3/domains?name=admin_domain 0.066s}}} > > Traceback (most recent call last): > File "tempest/api/compute/admin/test_quotas.py", line 128, in > test_delete_quota > project = self.identity_utils.create_project(name=project_name, > File "tempest/test.py", line 470, in identity_utils > project_domain_name=domain) > File "tempest/lib/common/cred_client.py", line 210, in get_creds_client > roles_client, domains_client, project_domain_name) > File "tempest/lib/common/cred_client.py", line 142, in __init__ > name=domain_name)['domains'][0] > File "tempest/lib/services/identity/v3/domains_client.py", line 57, in > list_domains > resp, body = self.get(url) > File "tempest/lib/common/rest_client.py", line 290, in get > return self.request('GET', url, extra_headers, headers) > File "tempest/lib/common/rest_client.py", line 663, in request > self._error_checker(resp, resp_body) > File "tempest/lib/common/rest_client.py", line 755, in _error_checker > raise exceptions.Forbidden(resp_body, resp=resp) > tempest.lib.exceptions.Forbidden: Forbidden > Details: {u'message': u'You are not authorized to perform the requested > action: identity:list_domains', u'code': 403, u'title': u'Forbidden'} > > In the keystone log I see: > > (keystone.policy.backends.rules): 2017-01-23 15:35:57,198 DEBUG enforce > identity:list_domains: {'is_delegated_auth': False, > 'access_token_id': None, > 'user_id': u'3fd9e70825d648d996080d855cf9c181', > 'roles': [u'Admin'], > 'user_domain_id': u'363ab68785c24c81a784edca1bceb935', > 'consumer_id': None, > 'trustee_id': None, > 'is_domain': False, > 'trustor_id': None, > 'token': <KeystoneToken (audit_id=4cQHEfwhSvuvibK4TAjKUw, > audit_chain_id=4cQHEfwhSvuvibK4TAjKUw) > at 0x7fbcceaa33c8>, > 'project_id': u'b48ba24e96d84de4a48077b9310faac7', > 'trust_id': None, > 'project_domain_id': u'363ab68785c24c81a784edca1bceb935'} > (keystone.common.wsgi): 2017-01-23 15:35:57,199 WARNING You are not > authorized to perform the requested action: identity:list_domains > > This appears to be project scoped. If I update the policy.json to grant > cloud_admin if the project is the admin domain then that seems to fix > things. The change I'm trying is: > > 3c3,4 > < "cloud_admin": "role:admin and (token.is_admin_project:True or > domain_id:admin_domain_id)", > --- > > "bob": "project_domain_id:363ab68785c24c81a784edca1bceb935 or > domain_id:363ab68785c24c81a784edca1bceb935", > > "cloud_admin": "role:admin and (token.is_admin_project:True or > rule:bob)", > > I did notice this comment on Bug #1451987 *4: > > If you see following errors for all identity api v3 tests, then please be > known that its not a a bug in tempest, rather you need to change keystone > v3 policy.json and make it more relaxed so tempest can authorize with users > created for each test with separate projects(tenants) because we set > tenant_isolation to True in tempest.conf ... > > This suggests to me that it is expected for policy.json to need tweaking. > > Regards > Liam > > *1 https://github.com/openstack/keystone/blob/stable/newton/ > etc/policy.v3cloudsample.json > *2 http://logs.openstack.org/66/418166/10/check/gate- > keystone-dsvm-functional-v3-only-ubuntu-xenial-nv/fc0af39/ > logs/etc/keystone/policy.json.txt.gz > *3 https://github.com/openstack/keystone/blob/master/etc/policy.json > *4 https://bugs.launchpad.net/tempest/+bug/1451987/comments/2 > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Rodrigo Duarte Sousa Senior Quality Engineer @ Red Hat MSc in Computer Science http://rodrigods.com
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev