[mistral] cron triggers execution fails on identity:validate_token with non-admin users

Francois Scheurer francois.scheurer at everyware.ch
Mon Sep 9 16:23:08 UTC 2019


Dear All


We are using Mistral 7.0.1.1 with  Openstack Rocky. (with federated users)

We can create and execute a workflow via horizon, but cron triggers 
always fail with this error:

     {
         "result":
             "The action raised an exception [
action_ex_id=ef878c48-d0ad-4564-9b7e-a06f07a70ded,
                     action_cls='<class 
'mistral.actions.action_factory.NovaAction'>',
                     attributes='{u'client_method_name': u'servers.find'}',
                     params='{
                         u'action_region': u'ch-zh1',
                         u'name': u'42724489-1912-44d1-9a59-6c7a4bebebfa'
                     }'
                 ]
                 \n NovaAction.servers.find failed: You are not 
authorized to perform the requested action: identity:validate_token. 
(HTTP 403) (Request-ID: req-ec1aea36-c198-4307-bf01-58aca74fad33)
             "
     }

Adding the role *admin* or *service* to the user logged in horizon is 
"fixing" the issue, I mean that the cron trigger then works as expected,

but it would be obviously a bad idea to do this for all normal users ;-)

So my question: is it a config problem on our side ? is it a known bug? 
or is it a feature in the sense that cron triggers are for normal users?


After digging in the keystone debug logs (see at the end below), I found 
that RBAC check identity:validate_token an deny the authorization.

But according to the policy.json (in keystone and in horizon), 
rule:owner should be enough to grant it...:

             "identity:validate_token": "rule:service_admin_or_owner",
                 "service_admin_or_owner": "rule:service_or_admin or 
rule:owner",
                     "service_or_admin": "rule:admin_required or 
rule:service_role",
                         "service_role": "role:service",
                     "owner": "user_id:%(user_id)s or 
user_id:%(target.token.user_id)s",

Thank you in advance for your help.


Best Regards

Francois Scheurer




Keystone logs:

         2019-09-05 09:38:00.902 29 DEBUG keystone.policy.backends.rules 
[req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom testdom]
             enforce identity:validate_token:
             {
                'service_project_id':None,
                'service_user_id':None,
                'service_user_domain_id':None,
                'service_project_domain_id':None,
                'trustor_id':None,
                'user_domain_id':u'testdom',
                'domain_id':None,
                'trust_id':u'mytrustid',
                'project_domain_id':u'testdom',
                'service_roles':[],
                'group_ids':[],
                'user_id':u'fsc',
                'roles':[
                   u'_member_',
                   u'creator',
                   u'reader',
                   u'heat_stack_owner',
                   u'member',
                   u'load-balancer_member'],
                'system_scope':None,
                'trustee_id':None,
                'domain_name':None,
                'is_admin_project':True,
                'token':<TokenModel (audit_id=0LAsW_0dQMWXh2cTZTLcWA, 
audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at 0x7f208f4a3bd0>,
                'project_id':u'fscproject'
             } enforce 
/var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33
         2019-09-05 09:38:00.920 29 WARNING keystone.common.wsgi 
[req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom testdom]
             You are not authorized to perform the requested action: 
identity:validate_token.: *ForbiddenAction: You are not authorized to 
perform the requested action: identity:validate_token.*


-- 


EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: francois.scheurer at everyware.ch
web: http://www.everyware.ch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190909/1fc5ee01/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5230 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190909/1fc5ee01/attachment-0001.bin>


More information about the openstack-discuss mailing list