[mistral] cron triggers execution fails on identity:validate_token with non-admin users

Sa Pham saphi070 at gmail.com
Fri Sep 13 13:23:12 UTC 2019


Hi Francois,

You can try this patch: https://review.opendev.org/#/c/680858/

Sa Pham

On Thu, Sep 12, 2019 at 11:49 PM Francois Scheurer <
francois.scheurer at everyware.ch> wrote:

> Hello
>
>
>
> Apparently other people have the same issue and cannot use cron triggers
> anymore:
>
> https://bugs.launchpad.net/mistral/+bug/1843175
>
>
> We also tried with following patch installed but the same error persists:
>
>
> https://opendev.org/openstack/mistral/commit/6102c5251e29c1efe73c92935a051feff0f649c7?style=split
>
>
>
> Cheers
>
> Francois
>
>
>
>
> On 9/9/19 6:23 PM, Francois Scheurer wrote:
>
> Dear All
>
>
> We are using Mistral 7.0.1.1 with  Openstack Rocky. (with federated users)
>
> We can create and execute a workflow via horizon, but cron triggers always
> fail with this error:
>
>     {
>         "result":
>             "The action raised an exception [
>                     action_ex_id=ef878c48-d0ad-4564-9b7e-a06f07a70ded,
>                     action_cls='<class
> 'mistral.actions.action_factory.NovaAction'>',
>                     attributes='{u'client_method_name': u'servers.find'}',
>                     params='{
>                         u'action_region': u'ch-zh1',
>                         u'name': u'42724489-1912-44d1-9a59-6c7a4bebebfa'
>                     }'
>                 ]
>                 \n NovaAction.servers.find failed: You are not authorized
> to perform the requested action: identity:validate_token. (HTTP 403)
> (Request-ID: req-ec1aea36-c198-4307-bf01-58aca74fad33)
>             "
>     }
>
> Adding the role *admin* or *service* to the user logged in horizon is
> "fixing" the issue, I mean that the cron trigger then works as expected,
>
> but it would be obviously a bad idea to do this for all normal users ;-)
>
> So my question: is it a config problem on our side ? is it a known bug? or
> is it a feature in the sense that cron triggers are for normal users?
>
>
> After digging in the keystone debug logs (see at the end below), I found
> that RBAC check identity:validate_token an deny the authorization.
>
> But according to the policy.json (in keystone and in horizon), rule:owner
> should be enough to grant it...:
>
>             "identity:validate_token": "rule:service_admin_or_owner",
>                 "service_admin_or_owner": "rule:service_or_admin or
> rule:owner",
>                     "service_or_admin": "rule:admin_required or
> rule:service_role",
>                         "service_role": "role:service",
>                     "owner": "user_id:%(user_id)s or
> user_id:%(target.token.user_id)s",
>
> Thank you in advance for your help.
>
>
> Best Regards
>
> Francois Scheurer
>
>
>
>
> Keystone logs:
>
>         2019-09-05 09:38:00.902 29 DEBUG keystone.policy.backends.rules
> [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom testdom]
>             enforce identity:validate_token:
>             {
>                'service_project_id':None,
>                'service_user_id':None,
>                'service_user_domain_id':None,
>                'service_project_domain_id':None,
>                'trustor_id':None,
>                'user_domain_id':u'testdom',
>                'domain_id':None,
>                'trust_id':u'mytrustid',
>                'project_domain_id':u'testdom',
>                'service_roles':[],
>                'group_ids':[],
>                'user_id':u'fsc',
>                'roles':[
>                   u'_member_',
>                   u'creator',
>                   u'reader',
>                   u'heat_stack_owner',
>                   u'member',
>                   u'load-balancer_member'],
>                'system_scope':None,
>                'trustee_id':None,
>                'domain_name':None,
>                'is_admin_project':True,
>                'token':<TokenModel (audit_id=0LAsW_0dQMWXh2cTZTLcWA,
> audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at 0x7f208f4a3bd0>,
>                'project_id':u'fscproject'
>             } enforce
> /var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33
>         2019-09-05 09:38:00.920 29 WARNING keystone.common.wsgi
> [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom testdom]
>             You are not authorized to perform the requested action:
> identity:validate_token.: *ForbiddenAction: You are not authorized to
> perform the requested action: identity:validate_token.*
>
> --
>
>
> EveryWare AG
> François Scheurer
> Senior Systems Engineer
> Zurlindenstrasse 52a
> CH-8003 Zürich
>
> tel: +41 44 466 60 00
> fax: +41 44 466 60 10
> mail: francois.scheurer at everyware.ch
> web: http://www.everyware.ch
>
> --
>
>
> EveryWare AG
> François Scheurer
> Senior Systems Engineer
> Zurlindenstrasse 52a
> CH-8003 Zürich
>
> tel: +41 44 466 60 00
> fax: +41 44 466 60 10
> mail: francois.scheurer at everyware.ch
> web: http://www.everyware.ch
>
>

-- 
Sa Pham Dang
Master Student - Soongsil University
Kakaotalk: sapd95
Skype: great_bn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190913/a8b54467/attachment-0001.html>


More information about the openstack-discuss mailing list