[mistral] cron triggers execution fails on identity:validate_token with non-admin users
Francois Scheurer
francois.scheurer at everyware.ch
Fri Sep 13 13:32:20 UTC 2019
Hi Sa Pham
Yes this is the good one.
Bo Tran pointed it to me yesterday as well and it fixed the issue.
See also: https://bugs.launchpad.net/mistral/+bug/1843175
Many Thanks to both of you !
Best Regards
Francois Scheurer
On 9/13/19 3:23 PM, Sa Pham wrote:
> Hi Francois,
>
> You can try this patch: https://review.opendev.org/#/c/680858/
>
> Sa Pham
>
> On Thu, Sep 12, 2019 at 11:49 PM Francois Scheurer
> <francois.scheurer at everyware.ch
> <mailto:francois.scheurer at everyware.ch>> wrote:
>
> Hello
>
>
>
> Apparently other people have the same issue and cannot use cron
> triggers anymore:
>
> https://bugs.launchpad.net/mistral/+bug/1843175
>
>
> We also tried with following patch installed but the same error
> persists:
>
> https://opendev.org/openstack/mistral/commit/6102c5251e29c1efe73c92935a051feff0f649c7?style=split
>
>
>
> Cheers
>
> Francois
>
>
>
>
> On 9/9/19 6:23 PM, Francois Scheurer wrote:
>>
>> Dear All
>>
>>
>> We are using Mistral 7.0.1.1 with Openstack Rocky. (with
>> federated users)
>>
>> We can create and execute a workflow via horizon, but cron
>> triggers always fail with this error:
>>
>> {
>> "result":
>> "The action raised an exception [
>> action_ex_id=ef878c48-d0ad-4564-9b7e-a06f07a70ded,
>> action_cls='<class
>> 'mistral.actions.action_factory.NovaAction'>',
>> attributes='{u'client_method_name':
>> u'servers.find'}',
>> params='{
>> u'action_region': u'ch-zh1',
>> u'name':
>> u'42724489-1912-44d1-9a59-6c7a4bebebfa'
>> }'
>> ]
>> \n NovaAction.servers.find failed: You are not
>> authorized to perform the requested action:
>> identity:validate_token. (HTTP 403) (Request-ID:
>> req-ec1aea36-c198-4307-bf01-58aca74fad33)
>> "
>> }
>>
>> Adding the role *admin* or *service* to the user logged in
>> horizon is "fixing" the issue, I mean that the cron trigger then
>> works as expected,
>>
>> but it would be obviously a bad idea to do this for all normal
>> users ;-)
>>
>> So my question: is it a config problem on our side ? is it a
>> known bug? or is it a feature in the sense that cron triggers are
>> for normal users?
>>
>>
>> After digging in the keystone debug logs (see at the end below),
>> I found that RBAC check identity:validate_token an deny the
>> authorization.
>>
>> But according to the policy.json (in keystone and in horizon),
>> rule:owner should be enough to grant it...:
>>
>> "identity:validate_token": "rule:service_admin_or_owner",
>> "service_admin_or_owner": "rule:service_or_admin
>> or rule:owner",
>> "service_or_admin": "rule:admin_required or
>> rule:service_role",
>> "service_role": "role:service",
>> "owner": "user_id:%(user_id)s or
>> user_id:%(target.token.user_id)s",
>>
>> Thank you in advance for your help.
>>
>>
>> Best Regards
>>
>> Francois Scheurer
>>
>>
>>
>>
>> Keystone logs:
>>
>> 2019-09-05 09:38:00.902 29 DEBUG
>> keystone.policy.backends.rules
>> [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject -
>> testdom testdom]
>> enforce identity:validate_token:
>> {
>> 'service_project_id':None,
>> 'service_user_id':None,
>> 'service_user_domain_id':None,
>> 'service_project_domain_id':None,
>> 'trustor_id':None,
>> 'user_domain_id':u'testdom',
>> 'domain_id':None,
>> 'trust_id':u'mytrustid',
>> 'project_domain_id':u'testdom',
>> 'service_roles':[],
>> 'group_ids':[],
>> 'user_id':u'fsc',
>> 'roles':[
>> u'_member_',
>> u'creator',
>> u'reader',
>> u'heat_stack_owner',
>> u'member',
>> u'load-balancer_member'],
>> 'system_scope':None,
>> 'trustee_id':None,
>> 'domain_name':None,
>> 'is_admin_project':True,
>> 'token':<TokenModel
>> (audit_id=0LAsW_0dQMWXh2cTZTLcWA,
>> audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at 0x7f208f4a3bd0>,
>> 'project_id':u'fscproject'
>> } enforce
>> /var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33
>> 2019-09-05 09:38:00.920 29 WARNING keystone.common.wsgi
>> [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject -
>> testdom testdom]
>> You are not authorized to perform the requested
>> action: identity:validate_token.: *ForbiddenAction: You are not
>> authorized to perform the requested action: identity:validate_token.*
>>
>>
>> --
>>
>>
>> EveryWare AG
>> François Scheurer
>> Senior Systems Engineer
>> Zurlindenstrasse 52a
>> CH-8003 Zürich
>>
>> tel: +41 44 466 60 00
>> fax: +41 44 466 60 10
>> mail:francois.scheurer at everyware.ch <mailto:francois.scheurer at everyware.ch>
>> web:http://www.everyware.ch
>
> --
>
>
> EveryWare AG
> François Scheurer
> Senior Systems Engineer
> Zurlindenstrasse 52a
> CH-8003 Zürich
>
> tel: +41 44 466 60 00
> fax: +41 44 466 60 10
> mail:francois.scheurer at everyware.ch <mailto:francois.scheurer at everyware.ch>
> web:http://www.everyware.ch
>
>
>
> --
> Sa Pham Dang
> Master Student - Soongsil University
> Kakaotalk: sapd95
> Skype: great_bn
>
>
--
EveryWare AG
François Scheurer
Senior Systems Engineer
Zurlindenstrasse 52a
CH-8003 Zürich
tel: +41 44 466 60 00
fax: +41 44 466 60 10
mail: francois.scheurer at everyware.ch
web: http://www.everyware.ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190913/8ad1330e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5230 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190913/8ad1330e/attachment-0001.bin>
More information about the openstack-discuss
mailing list