Open Stack

Hi Greg,

Can you revisit your policy configuration and try again?

See here:
http://git.openstack.org/cgit/openstack/magnum/plain/etc/magnum/policy.json?h=stable/newton

Cheers,
Spyros


On 22 September 2017 at 13:49, Waines, Greg <Greg.Waines at windriver.com> wrote:
> Just another note on this ...
>
>
>
> We have
>
> ·         setup a ‘magnum’ domain, and
>
> ·         setup a ‘trustee_domain_admin’ user within that domain, and
>
> ·         gave that user and domain the admin role, and     ß actually not
> 100% sure about this
>
> ·         referenced these items in magnum.conf
>
> o    i.e. trustee_domain_name, trustee_domain_admin_name,
> trustee_domain_admin_password
>
>
>
> ... but still seeing the trust_domain_id issue in the admin context (see
> email below).
>
>
>
> let me know if anyone has some ideas on issue or next steps to look at,
>
> Greg.
>
>
>
>
>
> From: Greg Waines <Greg.Waines at windriver.com>
> Reply-To: "openstack-dev at lists.openstack.org"
> <openstack-dev at lists.openstack.org>
> Date: Wednesday, September 20, 2017 at 12:20 PM
> To: "openstack-dev at lists.openstack.org" <openstack-dev at lists.openstack.org>
> Cc: "Sun, Yicheng (Jerry)" <Jerry.Sun at windriver.com>
> Subject: [openstack-dev] [magnum] issue with
> admin_osc.keystone().trustee_domain_id
>
>
>
> We are in the process of integrating MAGNUM into our OpenStack distribution.
>
> We are working with NEWTON version of MAGNUM.
>
> We have the MAGNUM processes up and running and configured.
>
>
>
> However we are seeing the following error (see stack trace below) on
> virtually all MAGNUM CLI calls.
>
>
>
> The code where the stack trace is triggered:
>
> def add_policy_attributes(target):
>
>     """Adds extra information for policy enforcement to raw target object"""
>
>     admin_context = context.make_admin_context()
>
>     admin_osc = clients.OpenStackClients(admin_context)
>
>     trustee_domain_id = admin_osc.keystone().trustee_domain_id
>
>     target['trustee_domain_id'] = trustee_domain_id
>
>     return target
>
>
>
> ( NOTE: that this code was introduced upstream as part of a fix for
> CVE-2016-7404:
>
> https://github.com/openstack/magnum/commit/2d4e617a529ea12ab5330f12631f44172a623a14
> )
>
>
>
> Stack Trace:
>
> File "/usr/lib/python2.7/site-packages/wsmeext/pecan.py", line 84, in
> callfunction
>
>     result = f(self, *args, **kwargs)
>
>
>
>   File "<string>", line 2, in get_all
>
>
>
>   File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 130,
> in wrapper
>
>     exc=exception.PolicyNotAuthorized, action=action)
>
>
>
>   File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 97,
> in enforce
>
>     #    add_policy_attributes(target)
>
>
>
>   File "/usr/lib/python2.7/site-packages/magnum/common/policy.py", line 106,
> in add_policy_attributes
>
>     trustee_domain_id = admin_osc.keystone().trustee_domain_id
>
>
>
>   File "/usr/lib/python2.7/site-packages/magnum/common/keystone.py", line
> 237, in trustee_domain_id
>
>     self.domain_admin_session
>
>
>
>   File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/base.py",
> line 136, in get_access
>
>     self.auth_ref = self.get_auth_ref(session)
>
>
>
>   File "/usr/lib/python2.7/site-packages/keystoneauth1/identity/v3/base.py",
> line 167, in get_auth_ref
>
>     authenticated=False, log=False, **rkwargs)
>
>
>
>   File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line
> 681, in post
>
>     return self.request(url, 'POST', **kwargs)
>
>
>
>   File "/usr/lib/python2.7/site-packages/positional/__init__.py", line 101,
> in inner
>
>     return wrapped(*args, **kwargs)
>
>
>
>   File "/usr/lib/python2.7/site-packages/keystoneauth1/session.py", line
> 570, in request
>
>     raise exceptions.from_response(resp, method, url)
>
>
>
> NotFound: The resource could not be found. (HTTP 404)
>
>
>
>
>
> Any ideas on what our issue could be ?
>
> Or next steps to investigate ?
>
>
>
> thanks in advance,
>
> Greg.
>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>