<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hello <br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p>Apparently other people have the same issue and cannot use cron
      triggers anymore:</p>
    <p><a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/mistral/+bug/1843175">https://bugs.launchpad.net/mistral/+bug/1843175</a></p>
    <p><br>
    </p>
    <p>We also tried with following patch installed but the same error
      persists:<br>
    </p>
    <p><a class="moz-txt-link-freetext" href="https://opendev.org/openstack/mistral/commit/6102c5251e29c1efe73c92935a051feff0f649c7?style=split">https://opendev.org/openstack/mistral/commit/6102c5251e29c1efe73c92935a051feff0f649c7?style=split</a><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p>Cheers</p>
    <p>Francois<br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 9/9/19 6:23 PM, Francois Scheurer
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:241f5d5e-8b21-9081-c1d1-66e908047335@everyware.ch">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <p>Dear All</p>
      <p><br>
      </p>
      <p>We are using Mistral 7.0.1.1 with  Openstack Rocky. (with
        federated users)<br>
      </p>
      <p>We can create and execute a workflow via horizon, but cron
        triggers always fail with this error:<br>
      </p>
      <p>    {<br>
                "result":<br>
                    "The action raised an exception [<br>
                           
        action_ex_id=ef878c48-d0ad-4564-9b7e-a06f07a70ded, <br>
                            action_cls='<class
        'mistral.actions.action_factory.NovaAction'>', <br>
                            attributes='{u'client_method_name':
        u'servers.find'}', <br>
                            params='{<br>
                                u'action_region': u'ch-zh1', <br>
                                u'name':
        u'42724489-1912-44d1-9a59-6c7a4bebebfa'<br>
                            }'<br>
                        ]<br>
                        \n NovaAction.servers.find failed: You are not
        authorized to perform the requested action:
        identity:validate_token. (HTTP 403) (Request-ID:
        req-ec1aea36-c198-4307-bf01-58aca74fad33)<br>
                    "<br>
            }<br>
      </p>
      <p>Adding the role <b>admin</b> or <b>service</b> to the user
        logged in horizon is "fixing" the issue, I mean that the cron
        trigger then works as expected, <br>
      </p>
      <p>but it would be obviously a bad idea to do this for all normal
        users ;-)</p>
      <p>So my question: is it a config problem on our side ? is it a
        known bug? or is it a feature in the sense that cron triggers
        are for normal users?<br>
      </p>
      <p><br>
      </p>
      <p>After digging in the keystone debug logs (see at the end
        below), I found that RBAC check identity:validate_token an deny
        the authorization.<br>
      </p>
      <p>But according to the policy.json (in keystone and in horizon),
        rule:owner should be enough to grant it...:<br>
      </p>
      <p>            "identity:validate_token":
        "rule:service_admin_or_owner",<br>
                        "service_admin_or_owner": "rule:service_or_admin
        or rule:owner",<br>
                            "service_or_admin": "rule:admin_required or
        rule:service_role",<br>
                                "service_role": "role:service",<br>
                            "owner": "user_id:%(user_id)s or
        user_id:%(target.token.user_id)s",<br>
      </p>
      <p>Thank you in advance for your help.</p>
      <p><br>
      </p>
      <p>Best Regards<br>
      </p>
      <p>Francois Scheurer<br>
      </p>
      <p><br>
      </p>
      <p><br>
      </p>
      <p><br>
      </p>
      <p>Keystone logs:<br>
      </p>
      <p>        2019-09-05 09:38:00.902 29 DEBUG
        keystone.policy.backends.rules
        [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject -
        testdom testdom]<br>
                    enforce identity:validate_token: <br>
                    {<br>
                       'service_project_id':None,<br>
                       'service_user_id':None,<br>
                       'service_user_domain_id':None,<br>
                       'service_project_domain_id':None,<br>
                       'trustor_id':None,<br>
                       'user_domain_id':u'testdom',<br>
                       'domain_id':None,<br>
                       'trust_id':u'mytrustid',<br>
                       'project_domain_id':u'testdom',<br>
                       'service_roles':[],<br>
                       'group_ids':[],<br>
                       'user_id':u'fsc',<br>
                       'roles':[<br>
                          u'_member_',<br>
                          u'creator',<br>
                          u'reader',<br>
                          u'heat_stack_owner',<br>
                          u'member',<br>
                          u'load-balancer_member'],<br>
                       'system_scope':None,<br>
                       'trustee_id':None,<br>
                       'domain_name':None,<br>
                       'is_admin_project':True,<br>
                       'token':<TokenModel
        (audit_id=0LAsW_0dQMWXh2cTZTLcWA,
        audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at
        0x7f208f4a3bd0>,<br>
                       'project_id':u'fscproject'<br>
                    } enforce
/var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33<br>
                2019-09-05 09:38:00.920 29 WARNING keystone.common.wsgi
        [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject -
        testdom testdom] <br>
                    You are not authorized to perform the requested
        action: identity:validate_token.: <b>ForbiddenAction: You are
          not authorized to perform the requested action:
          identity:validate_token.</b></p>
      <br>
      <pre class="moz-signature" cols="72">-- 


EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch" moz-do-not-send="true">francois.scheurer@everyware.ch</a>
web: <a class="moz-txt-link-freetext" href="http://www.everyware.ch" moz-do-not-send="true">http://www.everyware.ch</a> </pre>
    </blockquote>
    <pre class="moz-signature" cols="72">-- 


EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch">francois.scheurer@everyware.ch</a>
web: <a class="moz-txt-link-freetext" href="http://www.everyware.ch">http://www.everyware.ch</a> </pre>
  </body>
</html>