Dear All
We are using Mistral 7.0.1.1 with Openstack Rocky. (with
federated users)
We can create and execute a workflow via horizon, but cron
triggers always fail with this error:
{
"result":
"The action raised an exception [
action_ex_id=ef878c48-d0ad-4564-9b7e-a06f07a70ded,
action_cls='<class
'mistral.actions.action_factory.NovaAction'>',
attributes='{u'client_method_name':
u'servers.find'}',
params='{
u'action_region': u'ch-zh1',
u'name':
u'42724489-1912-44d1-9a59-6c7a4bebebfa'
}'
]
\n NovaAction.servers.find failed: You are not
authorized to perform the requested action:
identity:validate_token. (HTTP 403) (Request-ID:
req-ec1aea36-c198-4307-bf01-58aca74fad33)
"
}
Adding the role admin or service to the user
logged in horizon is "fixing" the issue, I mean that the cron
trigger then works as expected,
but it would be obviously a bad idea to do this for all normal users ;-)
So my question: is it a config problem on our side ? is it a
known bug? or is it a feature in the sense that cron triggers are
for normal users?
After digging in the keystone debug logs (see at the end below),
I found that RBAC check identity:validate_token an deny the
authorization.
But according to the policy.json (in keystone and in horizon),
rule:owner should be enough to grant it...:
"identity:validate_token":
"rule:service_admin_or_owner",
"service_admin_or_owner": "rule:service_or_admin
or rule:owner",
"service_or_admin": "rule:admin_required or
rule:service_role",
"service_role": "role:service",
"owner": "user_id:%(user_id)s or
user_id:%(target.token.user_id)s",
Thank you in advance for your help.
Best Regards
Francois Scheurer
Keystone logs:
2019-09-05 09:38:00.902 29 DEBUG
keystone.policy.backends.rules
[req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom
testdom]
enforce identity:validate_token:
{
'service_project_id':None,
'service_user_id':None,
'service_user_domain_id':None,
'service_project_domain_id':None,
'trustor_id':None,
'user_domain_id':u'testdom',
'domain_id':None,
'trust_id':u'mytrustid',
'project_domain_id':u'testdom',
'service_roles':[],
'group_ids':[],
'user_id':u'fsc',
'roles':[
u'_member_',
u'creator',
u'reader',
u'heat_stack_owner',
u'member',
u'load-balancer_member'],
'system_scope':None,
'trustee_id':None,
'domain_name':None,
'is_admin_project':True,
'token':<TokenModel
(audit_id=0LAsW_0dQMWXh2cTZTLcWA,
audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at 0x7f208f4a3bd0>,
'project_id':u'fscproject'
} enforce
/var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33
2019-09-05 09:38:00.920 29 WARNING keystone.common.wsgi
[req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom
testdom]
You are not authorized to perform the requested
action: identity:validate_token.: ForbiddenAction: You are not
authorized to perform the requested action:
identity:validate_token.
-- EveryWare AG François Scheurer Senior Systems Engineer Zurlindenstrasse 52a CH-8003 Zürich tel: +41 44 466 60 00 fax: +41 44 466 60 10 mail: francois.scheurer@everyware.ch web: http://www.everyware.ch