<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Renat</p>
<p><br>
</p>
<p>The issue with cron triggers and identity:validate_token was
fixed with the above patch.</p>
<p>We could then use cron triggers for instance with
nova.servers_create_image or cinder.volume_snapshots_create with
success.</p>
<p><br>
</p>
<p>But we hit another issue with cinder.backups_create .</p>
<p>This call will stores the backup on our swift backend (ceph rgw).</p>
<p>The workflow works when executed directly</p>
<p>but it fails when executed via cron trigger:</p>
<p>2019-09-17 10:46:04.525 8 ERROR oslo_messaging.rpc.server
ClientException: Container PUT failed:
<a class="moz-txt-link-freetext" href="http://rgw.service.stage.i.ewcs.ch/swift/v1/AUTH_aeac4b07d8b144178c43c65f29fa9dac/volumebackups">http://rgw.service.stage.i.ewcs.ch/swift/v1/AUTH_aeac4b07d8b144178c43c65f29fa9dac/volumebackups</a>
401 Unauthorized AccessDenied<br>
</p>
<p><br>
</p>
<p>I will repost this under Subject: cron triggers execution fails
with cinder.volume_snapshots_create as this is separate issue.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Cheers</p>
<p>Francois<br>
</p>
<br>
<div class="moz-cite-prefix">On 9/16/19 5:23 AM, Renat Akhmerov
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:46c4523f-8d63-4c13-898c-a636f38054f5@Spark">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title></title>
<div name="messageBodySection">
<div dir="auto">Hi!
<div dir="auto"><br>
</div>
<div dir="auto">Are you aware of other issues with cron
triggers and trusts? I’d like to reconcile all of that
somehow. The users who I personally work with don’t use cron
triggers so I don’t have that much practical experience with
them.</div>
</div>
</div>
<div name="messageSignatureSection"><br>
<div class="matchFont">Thanks<br>
<br>
Renat Akhmerov<br>
@Nokia</div>
</div>
<div name="messageReplySection">On 13 Sep 2019, 20:34 +0700,
Francois Scheurer <a class="moz-txt-link-rfc2396E" href="mailto:francois.scheurer@everyware.ch"><francois.scheurer@everyware.ch></a>, wrote:<br>
<blockquote type="cite" class="spark_quote" style="margin: 5px
5px; padding-left: 10px; border-left: thin solid #1abc9c;">
<p>Hi Sa Pham</p>
<p><br>
</p>
<p>Yes this is the good one.</p>
<p>Bo Tran pointed it to me yesterday as well and it fixed the
issue.<br>
</p>
<p>See also: <a class="moz-txt-link-freetext"
href="https://bugs.launchpad.net/mistral/+bug/1843175"
moz-do-not-send="true">https://bugs.launchpad.net/mistral/+bug/1843175</a></p>
<p>Many Thanks to both of you !<br>
</p>
<p><br>
</p>
<p>Best Regards</p>
<p>Francois Scheurer<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 9/13/19 3:23 PM, Sa Pham
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAA1DRzmR9zXVnMPoyzu4pCZqPLETbQq+ZvA4WvgD91RAc6B9bw@mail.gmail.com"
class="spark_quote" style="margin: 5px 5px; padding-left:
10px; border-left: thin solid #e67e22;">
<div dir="ltr">Hi Francois,
<div><br>
</div>
<div>You can try this patch: <a
href="https://review.opendev.org/#/c/680858/"
moz-do-not-send="true">https://review.opendev.org/#/c/680858/</a></div>
<div><br>
</div>
<div>Sa Pham</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, Sep 12, 2019 at
11:49 PM Francois Scheurer <<a
href="mailto:francois.scheurer@everyware.ch"
moz-do-not-send="true">francois.scheurer@everyware.ch</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote spark_quote" style="margin:
5px 5px; padding-left: 10px; border-left: thin solid
#3498db;">
<div bgcolor="#FFFFFF">
<p>Hello<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Apparently other people have the same issue and
cannot use cron triggers anymore:</p>
<p><a
class="gmail-m_8805621447070179352moz-txt-link-freetext"
href="https://bugs.launchpad.net/mistral/+bug/1843175" target="_blank"
moz-do-not-send="true">https://bugs.launchpad.net/mistral/+bug/1843175</a></p>
<p><br>
</p>
<p>We also tried with following patch installed but
the same error persists:<br>
</p>
<p><a
class="gmail-m_8805621447070179352moz-txt-link-freetext"
href="https://opendev.org/openstack/mistral/commit/6102c5251e29c1efe73c92935a051feff0f649c7?style=split"
target="_blank" moz-do-not-send="true">https://opendev.org/openstack/mistral/commit/6102c5251e29c1efe73c92935a051feff0f649c7?style=split</a><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Cheers</p>
<p>Francois<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<div
class="gmail-m_8805621447070179352moz-cite-prefix">On
9/9/19 6:23 PM, Francois Scheurer wrote:<br>
</div>
<blockquote type="cite" class="spark_quote"
style="margin: 5px 5px; padding-left: 10px;
border-left: thin solid #d35400;">
<p>Dear All</p>
<p><br>
</p>
<p>We are using Mistral 7.0.1.1 with Openstack
Rocky. (with federated users)<br>
</p>
<p>We can create and execute a workflow via horizon,
but cron triggers always fail with this error:<br>
</p>
<p> {<br>
"result":<br>
"The action raised an exception [<br>
action_ex_id=ef878c48-d0ad-4564-9b7e-a06f07a70ded,<br>
action_cls='<class
'mistral.actions.action_factory.NovaAction'>',<br>
attributes='{u'client_method_name':
u'servers.find'}',<br>
params='{<br>
u'action_region':
u'ch-zh1',<br>
u'name':
u'42724489-1912-44d1-9a59-6c7a4bebebfa'<br>
}'<br>
]<br>
\n NovaAction.servers.find failed:
You are not authorized to perform the requested
action: identity:validate_token. (HTTP 403)
(Request-ID:
req-ec1aea36-c198-4307-bf01-58aca74fad33)<br>
"<br>
}<br>
</p>
<p>Adding the role <b>admin</b> or <b>service</b>
to the user logged in horizon is "fixing" the
issue, I mean that the cron trigger then works as
expected,<br>
</p>
<p>but it would be obviously a bad idea to do this
for all normal users ;-)</p>
<p>So my question: is it a config problem on our
side ? is it a known bug? or is it a feature in
the sense that cron triggers are for normal users?<br>
</p>
<p><br>
</p>
<p>After digging in the keystone debug logs (see at
the end below), I found that RBAC check
identity:validate_token an deny the authorization.<br>
</p>
<p>But according to the policy.json (in keystone and
in horizon), rule:owner should be enough to grant
it...:<br>
</p>
<p> "identity:validate_token":
"rule:service_admin_or_owner",<br>
"service_admin_or_owner":
"rule:service_or_admin or rule:owner",<br>
"service_or_admin":
"rule:admin_required or rule:service_role",<br>
"service_role":
"role:service",<br>
"owner": "user_id:%(user_id)s
or user_id:%(target.token.user_id)s",<br>
</p>
<p>Thank you in advance for your help.</p>
<p><br>
</p>
<p>Best Regards<br>
</p>
<p>Francois Scheurer<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Keystone logs:<br>
</p>
<p> 2019-09-05 09:38:00.902 29 DEBUG
keystone.policy.backends.rules
[req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc
fscproject - testdom testdom]<br>
enforce identity:validate_token:<br>
{<br>
'service_project_id':None,<br>
'service_user_id':None,<br>
'service_user_domain_id':None,<br>
'service_project_domain_id':None,<br>
'trustor_id':None,<br>
'user_domain_id':u'testdom',<br>
'domain_id':None,<br>
'trust_id':u'mytrustid',<br>
'project_domain_id':u'testdom',<br>
'service_roles':[],<br>
'group_ids':[],<br>
'user_id':u'fsc',<br>
'roles':[<br>
u'_member_',<br>
u'creator',<br>
u'reader',<br>
u'heat_stack_owner',<br>
u'member',<br>
u'load-balancer_member'],<br>
'system_scope':None,<br>
'trustee_id':None,<br>
'domain_name':None,<br>
'is_admin_project':True,<br>
'token':<TokenModel
(audit_id=0LAsW_0dQMWXh2cTZTLcWA,
audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at
0x7f208f4a3bd0>,<br>
'project_id':u'fscproject'<br>
} enforce
/var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33<br>
2019-09-05 09:38:00.920 29 WARNING
keystone.common.wsgi
[req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc
fscproject - testdom testdom]<br>
You are not authorized to perform the
requested action: identity:validate_token.: <b>ForbiddenAction:
You are not authorized to perform the requested
action: identity:validate_token.</b></p>
<br>
<pre class="gmail-m_8805621447070179352moz-signature" cols="72">--
EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich
tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="gmail-m_8805621447070179352moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch" target="_blank" moz-do-not-send="true">francois.scheurer@everyware.ch</a>
web: <a class="gmail-m_8805621447070179352moz-txt-link-freetext" href="http://www.everyware.ch" target="_blank" moz-do-not-send="true">http://www.everyware.ch</a> </pre>
</blockquote>
<pre class="gmail-m_8805621447070179352moz-signature" cols="72">--
EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich
tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="gmail-m_8805621447070179352moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch" target="_blank" moz-do-not-send="true">francois.scheurer@everyware.ch</a>
web: <a class="gmail-m_8805621447070179352moz-txt-link-freetext" href="http://www.everyware.ch" target="_blank" moz-do-not-send="true">http://www.everyware.ch</a> </pre>
</div>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
--<br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">Sa Pham Dang<br>
</div>
<div dir="ltr">Master Student - Soongsil University<br>
<div>Kakaotalk: sapd95</div>
<div>Skype: great_bn</div>
<div><br>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich
tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch" moz-do-not-send="true">francois.scheurer@everyware.ch</a>
web: <a class="moz-txt-link-freetext" href="http://www.everyware.ch" moz-do-not-send="true">http://www.everyware.ch</a> </pre>
</blockquote>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich
tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: <a class="moz-txt-link-abbreviated" href="mailto:francois.scheurer@everyware.ch">francois.scheurer@everyware.ch</a>
web: <a class="moz-txt-link-freetext" href="http://www.everyware.ch">http://www.everyware.ch</a> </pre>
</body>
</html>