<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Dear All</p>
<p><br>
</p>
<p>We are using Mistral 7.0.1.1 with Openstack Rocky. (with
federated users)<br>
</p>
<p>We can create and execute a workflow via horizon, but cron
triggers always fail with this error:<br>
</p>
<p> {<br>
"result":<br>
"The action raised an exception [<br>
action_ex_id=ef878c48-d0ad-4564-9b7e-a06f07a70ded, <br>
action_cls='<class
'mistral.actions.action_factory.NovaAction'>', <br>
attributes='{u'client_method_name':
u'servers.find'}', <br>
params='{<br>
u'action_region': u'ch-zh1', <br>
u'name':
u'42724489-1912-44d1-9a59-6c7a4bebebfa'<br>
}'<br>
]<br>
\n NovaAction.servers.find failed: You are not
authorized to perform the requested action:
identity:validate_token. (HTTP 403) (Request-ID:
req-ec1aea36-c198-4307-bf01-58aca74fad33)<br>
"<br>
}<br>
</p>
<p>Adding the role <b>admin</b> or <b>service</b> to the user
logged in horizon is "fixing" the issue, I mean that the cron
trigger then works as expected, <br>
</p>
<p>but it would be obviously a bad idea to do this for all normal
users ;-)</p>
<p>So my question: is it a config problem on our side ? is it a
known bug? or is it a feature in the sense that cron triggers are
for normal users?<br>
</p>
<p><br>
</p>
<p>After digging in the keystone debug logs (see at the end below),
I found that RBAC check identity:validate_token an deny the
authorization.<br>
</p>
<p>But according to the policy.json (in keystone and in horizon),
rule:owner should be enough to grant it...:<br>
</p>
<p> "identity:validate_token":
"rule:service_admin_or_owner",<br>
"service_admin_or_owner": "rule:service_or_admin
or rule:owner",<br>
"service_or_admin": "rule:admin_required or
rule:service_role",<br>
"service_role": "role:service",<br>
"owner": "user_id:%(user_id)s or
user_id:%(target.token.user_id)s",<br>
</p>
<p>Thank you in advance for your help.</p>
<p><br>
</p>
<p>Best Regards<br>
</p>
<p>Francois Scheurer<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Keystone logs:<br>
</p>
<p> 2019-09-05 09:38:00.902 29 DEBUG
keystone.policy.backends.rules
[req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom
testdom]<br>
enforce identity:validate_token: <br>
{<br>
'service_project_id':None,<br>
'service_user_id':None,<br>
'service_user_domain_id':None,<br>
'service_project_domain_id':None,<br>
'trustor_id':None,<br>
'user_domain_id':u'testdom',<br>
'domain_id':None,<br>
'trust_id':u'mytrustid',<br>
'project_domain_id':u'testdom',<br>
'service_roles':[],<br>
'group_ids':[],<br>
'user_id':u'fsc',<br>
'roles':[<br>
u'_member_',<br>
u'creator',<br>
u'reader',<br>
u'heat_stack_owner',<br>
u'member',<br>
u'load-balancer_member'],<br>
'system_scope':None,<br>
'trustee_id':None,<br>
'domain_name':None,<br>
'is_admin_project':True,<br>
'token':<TokenModel
(audit_id=0LAsW_0dQMWXh2cTZTLcWA,
audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at 0x7f208f4a3bd0>,<br>
'project_id':u'fscproject'<br>
} enforce
/var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33<br>
2019-09-05 09:38:00.920 29 WARNING keystone.common.wsgi
[req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom
testdom] <br>
You are not authorized to perform the requested
action: identity:validate_token.: <b>ForbiddenAction: You are not
authorized to perform the requested action:
identity:validate_token.</b></p>
<br>
<pre class="moz-signature" cols="72">--
EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich
tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch">francois.scheurer@everyware.ch</a>
web: <a class="moz-txt-link-freetext" href="http://www.everyware.ch">http://www.everyware.ch</a> </pre>
</body>
</html>