<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Sa Pham</p>
<p><br>
</p>
<p>Yes this is the good one.</p>
<p>Bo Tran pointed it to me yesterday as well and it fixed the
issue.<br>
</p>
<p>See also: <a class="moz-txt-link-freetext" href="https://bugs.launchpad.net/mistral/+bug/1843175">https://bugs.launchpad.net/mistral/+bug/1843175</a></p>
<p>Many Thanks to both of you !<br>
</p>
<p><br>
</p>
<p>Best Regards</p>
<p>Francois Scheurer<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 9/13/19 3:23 PM, Sa Pham wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAA1DRzmR9zXVnMPoyzu4pCZqPLETbQq+ZvA4WvgD91RAc6B9bw@mail.gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi Francois,
<div><br>
</div>
<div>You can try this patch: <a
href="https://review.opendev.org/#/c/680858/"
moz-do-not-send="true">https://review.opendev.org/#/c/680858/</a></div>
<div><br>
</div>
<div>Sa Pham</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Sep 12, 2019 at 11:49
PM Francois Scheurer <<a
href="mailto:francois.scheurer@everyware.ch"
moz-do-not-send="true">francois.scheurer@everyware.ch</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>Hello <br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Apparently other people have the same issue and cannot
use cron triggers anymore:</p>
<p><a
class="gmail-m_8805621447070179352moz-txt-link-freetext"
href="https://bugs.launchpad.net/mistral/+bug/1843175"
target="_blank" moz-do-not-send="true">https://bugs.launchpad.net/mistral/+bug/1843175</a></p>
<p><br>
</p>
<p>We also tried with following patch installed but the same
error persists:<br>
</p>
<p><a
class="gmail-m_8805621447070179352moz-txt-link-freetext"
href="https://opendev.org/openstack/mistral/commit/6102c5251e29c1efe73c92935a051feff0f649c7?style=split"
target="_blank" moz-do-not-send="true">https://opendev.org/openstack/mistral/commit/6102c5251e29c1efe73c92935a051feff0f649c7?style=split</a><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Cheers</p>
<p>Francois<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="gmail-m_8805621447070179352moz-cite-prefix">On
9/9/19 6:23 PM, Francois Scheurer wrote:<br>
</div>
<blockquote type="cite">
<p>Dear All</p>
<p><br>
</p>
<p>We are using Mistral 7.0.1.1 with Openstack Rocky.
(with federated users)<br>
</p>
<p>We can create and execute a workflow via horizon, but
cron triggers always fail with this error:<br>
</p>
<p> {<br>
"result":<br>
"The action raised an exception [<br>
action_ex_id=ef878c48-d0ad-4564-9b7e-a06f07a70ded, <br>
action_cls='<class
'mistral.actions.action_factory.NovaAction'>', <br>
attributes='{u'client_method_name':
u'servers.find'}', <br>
params='{<br>
u'action_region': u'ch-zh1', <br>
u'name':
u'42724489-1912-44d1-9a59-6c7a4bebebfa'<br>
}'<br>
]<br>
\n NovaAction.servers.find failed: You
are not authorized to perform the requested action:
identity:validate_token. (HTTP 403) (Request-ID:
req-ec1aea36-c198-4307-bf01-58aca74fad33)<br>
"<br>
}<br>
</p>
<p>Adding the role <b>admin</b> or <b>service</b> to the
user logged in horizon is "fixing" the issue, I mean
that the cron trigger then works as expected, <br>
</p>
<p>but it would be obviously a bad idea to do this for all
normal users ;-)</p>
<p>So my question: is it a config problem on our side ? is
it a known bug? or is it a feature in the sense that
cron triggers are for normal users?<br>
</p>
<p><br>
</p>
<p>After digging in the keystone debug logs (see at the
end below), I found that RBAC check
identity:validate_token an deny the authorization.<br>
</p>
<p>But according to the policy.json (in keystone and in
horizon), rule:owner should be enough to grant it...:<br>
</p>
<p> "identity:validate_token":
"rule:service_admin_or_owner",<br>
"service_admin_or_owner":
"rule:service_or_admin or rule:owner",<br>
"service_or_admin":
"rule:admin_required or rule:service_role",<br>
"service_role": "role:service",<br>
"owner": "user_id:%(user_id)s or
user_id:%(target.token.user_id)s",<br>
</p>
<p>Thank you in advance for your help.</p>
<p><br>
</p>
<p>Best Regards<br>
</p>
<p>Francois Scheurer<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Keystone logs:<br>
</p>
<p> 2019-09-05 09:38:00.902 29 DEBUG
keystone.policy.backends.rules
[req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject
- testdom testdom]<br>
enforce identity:validate_token: <br>
{<br>
'service_project_id':None,<br>
'service_user_id':None,<br>
'service_user_domain_id':None,<br>
'service_project_domain_id':None,<br>
'trustor_id':None,<br>
'user_domain_id':u'testdom',<br>
'domain_id':None,<br>
'trust_id':u'mytrustid',<br>
'project_domain_id':u'testdom',<br>
'service_roles':[],<br>
'group_ids':[],<br>
'user_id':u'fsc',<br>
'roles':[<br>
u'_member_',<br>
u'creator',<br>
u'reader',<br>
u'heat_stack_owner',<br>
u'member',<br>
u'load-balancer_member'],<br>
'system_scope':None,<br>
'trustee_id':None,<br>
'domain_name':None,<br>
'is_admin_project':True,<br>
'token':<TokenModel
(audit_id=0LAsW_0dQMWXh2cTZTLcWA,
audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at
0x7f208f4a3bd0>,<br>
'project_id':u'fscproject'<br>
} enforce
/var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33<br>
2019-09-05 09:38:00.920 29 WARNING
keystone.common.wsgi
[req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject
- testdom testdom] <br>
You are not authorized to perform the
requested action: identity:validate_token.: <b>ForbiddenAction:
You are not authorized to perform the requested
action: identity:validate_token.</b></p>
<br>
<pre class="gmail-m_8805621447070179352moz-signature" cols="72">--
EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich
tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="gmail-m_8805621447070179352moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch" target="_blank" moz-do-not-send="true">francois.scheurer@everyware.ch</a>
web: <a class="gmail-m_8805621447070179352moz-txt-link-freetext" href="http://www.everyware.ch" target="_blank" moz-do-not-send="true">http://www.everyware.ch</a> </pre>
</blockquote>
<pre class="gmail-m_8805621447070179352moz-signature" cols="72">--
EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich
tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="gmail-m_8805621447070179352moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch" target="_blank" moz-do-not-send="true">francois.scheurer@everyware.ch</a>
web: <a class="gmail-m_8805621447070179352moz-txt-link-freetext" href="http://www.everyware.ch" target="_blank" moz-do-not-send="true">http://www.everyware.ch</a> </pre>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">Sa Pham Dang<br>
</div>
<div dir="ltr">Master Student - Soongsil University<br>
<div>Kakaotalk: sapd95</div>
<div>Skype: great_bn</div>
<div><br>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich
tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch">francois.scheurer@everyware.ch</a>
web: <a class="moz-txt-link-freetext" href="http://www.everyware.ch">http://www.everyware.ch</a> </pre>
</body>
</html>