Hi Sa Pham


Yes this is the good one.

Bo Tran pointed it to me yesterday as well and it fixed the issue.

See also: https://bugs.launchpad.net/mistral/+bug/1843175

Many Thanks to both of you !


Best Regards

Francois Scheurer




On 9/13/19 3:23 PM, Sa Pham wrote:
Hi Francois,

You can try this patch: https://review.opendev.org/#/c/680858/

Sa Pham

On Thu, Sep 12, 2019 at 11:49 PM Francois Scheurer <francois.scheurer@everyware.ch> wrote:

Hello



Apparently other people have the same issue and cannot use cron triggers anymore:

https://bugs.launchpad.net/mistral/+bug/1843175


We also tried with following patch installed but the same error persists:

https://opendev.org/openstack/mistral/commit/6102c5251e29c1efe73c92935a051feff0f649c7?style=split



Cheers

Francois




On 9/9/19 6:23 PM, Francois Scheurer wrote:

Dear All


We are using Mistral 7.0.1.1 with  Openstack Rocky. (with federated users)

We can create and execute a workflow via horizon, but cron triggers always fail with this error:

    {
        "result":
            "The action raised an exception [
                    action_ex_id=ef878c48-d0ad-4564-9b7e-a06f07a70ded,
                    action_cls='<class 'mistral.actions.action_factory.NovaAction'>',
                    attributes='{u'client_method_name': u'servers.find'}',
                    params='{
                        u'action_region': u'ch-zh1',
                        u'name': u'42724489-1912-44d1-9a59-6c7a4bebebfa'
                    }'
                ]
                \n NovaAction.servers.find failed: You are not authorized to perform the requested action: identity:validate_token. (HTTP 403) (Request-ID: req-ec1aea36-c198-4307-bf01-58aca74fad33)
            "
    }

Adding the role admin or service to the user logged in horizon is "fixing" the issue, I mean that the cron trigger then works as expected,

but it would be obviously a bad idea to do this for all normal users ;-)

So my question: is it a config problem on our side ? is it a known bug? or is it a feature in the sense that cron triggers are for normal users?


After digging in the keystone debug logs (see at the end below), I found that RBAC check identity:validate_token an deny the authorization.

But according to the policy.json (in keystone and in horizon), rule:owner should be enough to grant it...:

            "identity:validate_token": "rule:service_admin_or_owner",
                "service_admin_or_owner": "rule:service_or_admin or rule:owner",
                    "service_or_admin": "rule:admin_required or rule:service_role",
                        "service_role": "role:service",
                    "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s",

Thank you in advance for your help.


Best Regards

Francois Scheurer




Keystone logs:

        2019-09-05 09:38:00.902 29 DEBUG keystone.policy.backends.rules [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom testdom]
            enforce identity:validate_token:
            {
               'service_project_id':None,
               'service_user_id':None,
               'service_user_domain_id':None,
               'service_project_domain_id':None,
               'trustor_id':None,
               'user_domain_id':u'testdom',
               'domain_id':None,
               'trust_id':u'mytrustid',
               'project_domain_id':u'testdom',
               'service_roles':[],
               'group_ids':[],
               'user_id':u'fsc',
               'roles':[
                  u'_member_',
                  u'creator',
                  u'reader',
                  u'heat_stack_owner',
                  u'member',
                  u'load-balancer_member'],
               'system_scope':None,
               'trustee_id':None,
               'domain_name':None,
               'is_admin_project':True,
               'token':<TokenModel (audit_id=0LAsW_0dQMWXh2cTZTLcWA, audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at 0x7f208f4a3bd0>,
               'project_id':u'fscproject'
            } enforce /var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33
        2019-09-05 09:38:00.920 29 WARNING keystone.common.wsgi [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom testdom]
            You are not authorized to perform the requested action: identity:validate_token.: ForbiddenAction: You are not authorized to perform the requested action: identity:validate_token.


-- 


EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: francois.scheurer@everyware.ch
web: http://www.everyware.ch 
-- 


EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: francois.scheurer@everyware.ch
web: http://www.everyware.ch


--
Sa Pham Dang
Master Student - Soongsil University
Kakaotalk: sapd95
Skype: great_bn


-- 


EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich

tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: francois.scheurer@everyware.ch
web: http://www.everyware.ch