[Yahoo-eng-team] [Bug 2062045] [NEW] Domain admin is not allowed to create credentials when scope enforcement is enabled

Takashi Kajinami Wed, 17 Apr 2024 11:29:20 -0700

Public bug reported:

Currently when [oslo_policy] enforce_scope is set to True along with
[oslo_policy] enforce_new_defaults = True, domain admins are not allowed
to manage credentials.


However this limitation breaks heat, because heat requires creating
credentials, which is used by notification mechanism for example, by
it's own stack domain admin credential.

```

Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: ERROR 
heat.engine.check_resource [None req-f3f9047b-8ac5-46f0-b8df-eafa473cb252 demo 
None] Unexpected exception in resource check.: 
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the 
requested action: identity:create_credential. (HTTP 403) (Request-ID: 
req-ff29e4ea-c6bc-48c5-88f4-fa4cb1893a87)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource Traceback (most recent call last):
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/check_resource.py", line 311, in check
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     
self._initiate_propagate_resource(cnxt, resource_id,
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/check_resource.py", line 251, in 
_initiate_propagate_resource
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     input_data = 
_get_input_data(req_node, input_forward_data)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/check_resource.py", line 233, in _get_input_data
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     return rsrc.node_data().as_dict()
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resource.py", line 1154, in node_data
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     self.FnGetRefId(), attribute_values,
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resource.py", line 2378, in FnGetRefId
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     return self.get_reference_id()
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resources/aws/cfn/wait_condition_handle.py", line 
40, in get_reference_id
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     return 
str(self._get_ec2_signed_url(signal_type=wc))
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resources/wait_condition.py", line 48, in 
_get_ec2_signed_url
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     
self)._get_ec2_signed_url(signal_type)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resources/signal_responder.py", line 138, in 
_get_ec2_signed_url
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     self._create_keypair()
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resources/stack_user.py", line 128, in 
_create_keypair
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     kp = 
self.keystone().create_stack_domain_user_keypair(
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 
551, in create_stack_domain_user_keypair
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     creds = 
self.domain_admin_client.credentials.create(
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneclient/v3/credentials.py", 
line 62, in create
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     return super(CredentialManager, 
self).create(
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 85, in 
func
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     return f(*args, **new_kwargs)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 381, in 
create
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     return self._post(
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 191, in 
_post
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     resp, body = self.client.post(url, 
body=body, **kwargs)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 399, 
in post
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     return self.request(url, 'POST', 
**kwargs)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 552, 
in request
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     resp = super(LegacyJsonAdapter, 
self).request(*args, **kwargs)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 255, 
in request
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     return self.session.request(url, 
method, **kwargs)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneauth1/session.py", line 985, 
in request
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource     raise exceptions.from_response(resp, 
method, url)
Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 16:19:02.204 
89702 TRACE heat.engine.check_resource keystoneauth1.exceptions.http.Forbidden: 
You are not authorized to perform the requested action: 
identity:create_credential. (HTTP 403) (Request-ID: 
req-ff29e4ea-c6bc-48c5-88f4-fa4cb1893a87)
```

** Affects: keystone
     Importance: Undecided
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2062045

Title:
  Domain admin is not allowed to create credentials when scope
  enforcement is enabled

Status in OpenStack Identity (keystone):
  In Progress

Bug description:
  Currently when [oslo_policy] enforce_scope is set to True along with
  [oslo_policy] enforce_new_defaults = True, domain admins are not
  allowed to manage credentials.

  However this limitation breaks heat, because heat requires creating
  credentials, which is used by notification mechanism for example, by
  it's own stack domain admin credential.

  ```

  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: ERROR 
heat.engine.check_resource [None req-f3f9047b-8ac5-46f0-b8df-eafa473cb252 demo 
None] Unexpected exception in resource check.: 
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the 
requested action: identity:create_credential. (HTTP 403) (Request-ID: 
req-ff29e4ea-c6bc-48c5-88f4-fa4cb1893a87)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource Traceback (most recent call 
last):
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/check_resource.py", line 311, in check
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     
self._initiate_propagate_resource(cnxt, resource_id,
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/check_resource.py", line 251, in 
_initiate_propagate_resource
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     input_data = 
_get_input_data(req_node, input_forward_data)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/check_resource.py", line 233, in _get_input_data
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     return 
rsrc.node_data().as_dict()
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resource.py", line 1154, in node_data
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     self.FnGetRefId(), 
attribute_values,
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resource.py", line 2378, in FnGetRefId
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     return 
self.get_reference_id()
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resources/aws/cfn/wait_condition_handle.py", line 
40, in get_reference_id
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     return 
str(self._get_ec2_signed_url(signal_type=wc))
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resources/wait_condition.py", line 48, in 
_get_ec2_signed_url
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     
self)._get_ec2_signed_url(signal_type)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resources/signal_responder.py", line 138, in 
_get_ec2_signed_url
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     self._create_keypair()
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/resources/stack_user.py", line 128, in 
_create_keypair
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     kp = 
self.keystone().create_stack_domain_user_keypair(
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/opt/stack/heat/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 
551, in create_stack_domain_user_keypair
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     creds = 
self.domain_admin_client.credentials.create(
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneclient/v3/credentials.py", 
line 62, in create
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     return 
super(CredentialManager, self).create(
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 85, in 
func
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     return f(*args, 
**new_kwargs)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 381, in 
create
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     return self._post(
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneclient/base.py", line 191, in 
_post
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     resp, body = 
self.client.post(url, body=body, **kwargs)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 399, 
in post
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     return 
self.request(url, 'POST', **kwargs)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 552, 
in request
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     resp = 
super(LegacyJsonAdapter, self).request(*args, **kwargs)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneauth1/adapter.py", line 255, 
in request
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     return 
self.session.request(url, method, **kwargs)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource   File 
"/usr/local/lib/python3.10/dist-packages/keystoneauth1/session.py", line 985, 
in request
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource     raise 
exceptions.from_response(resp, method, url)
  Apr 17 16:19:02.207067 np0037308484 heat-engine[89702]: 2024-04-17 
16:19:02.204 89702 TRACE heat.engine.check_resource 
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the 
requested action: identity:create_credential. (HTTP 403) (Request-ID: 
req-ff29e4ea-c6bc-48c5-88f4-fa4cb1893a87)
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2062045/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 2062045] [NEW] Domain admin is not allowed to create credentials when scope enforcement is enabled

Reply via email to