[swift][tempest][kolla]

Michal Arbet michal.arbet at ultimum.io
Tue Dec 14 16:14:26 UTC 2021


Hi,

Additional info from openstack swift team :

#openstack-swift IRC:

<kevko> delay_auth_decision is this dangerous in swift ?
<kevko> or why it is default false ?
<kevko> i found that if it is false ..discoverability not working
<zaitcev> IIRC it defaults to false because tempauth does not need it, so
SAIO works without. But basically all it does is letting 2 auths coexist,
or have an auth that has 2 middlewares like authtoken (obtains the tokens)
and keystone (makes the decision).
<zaitcev> So it's "delayed" in a sense that it invokes the auth hook after
all the middlewares had a chance to execute.
<zaitcev> But of course it occurs before the request proceeds.
<kevko> hmm, so if I am using keystoneauth, i should set it to True,
shouldn't I ?
<zaitcev> Yes.
<zaitcev> Well, strictly speaking, if middleware is in the correct order,
you can get keystone itself to work. But not things like tempurl.
<zaitcev> So just set it.
<zaitcev> There's no security concern with it.

So, from my perspective of view, we should set this to True in
kolla-ansible and add Release note to inform users default value has
changed.

Kevko

Michal Arbet
Openstack Engineer

Ultimum Technologies a.s.
Na Poříčí 1047/26, 11000 Praha 1
Czech Republic

+420 604 228 897
michal.arbet at ultimum.io
*https://ultimum.io <https://ultimum.io/>*

LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter
<https://twitter.com/ultimumtech> | Facebook
<https://www.facebook.com/ultimumtechnologies/timeline>


út 14. 12. 2021 v 17:09 odesílatel Michal Arbet <michal.arbet at ultimum.io>
napsal:

> Hi,
>
> Sorry I broke a diff because of manual edit, below is the fix.
>
> [filter:authtoken]
> -delay_auth_decision = False
> +delay_auth_decision = True
>
> Thank to Pierre Riteau (priteau) that he catched my fault :)
>
> Kevko
>
> Michal Arbet
> Openstack Engineer
>
> Ultimum Technologies a.s.
> Na Poříčí 1047/26, 11000 Praha 1
> Czech Republic
>
> +420 604 228 897
> michal.arbet at ultimum.io
> *https://ultimum.io <https://ultimum.io/>*
>
> LinkedIn <https://www.linkedin.com/company/ultimum-technologies> | Twitter
> <https://twitter.com/ultimumtech> | Facebook
> <https://www.facebook.com/ultimumtechnologies/timeline>
>
>
> út 14. 12. 2021 v 16:25 odesílatel Michal Arbet <michal.arbet at ultimum.io>
> napsal:
>
>> Hi,
>>
>> [filter:authtoken]
>> -delay_auth_decision = True
>> +delay_auth_decision = True
>>
>> Above does the trick and now working :)
>>
>> Thank you
>>
>> Michal Arbet
>> Openstack Engineer
>>
>> Ultimum Technologies a.s.
>> Na Poříčí 1047/26, 11000 Praha 1
>> Czech Republic
>>
>> +420 604 228 897
>> michal.arbet at ultimum.io
>> *https://ultimum.io <https://ultimum.io/>*
>>
>> LinkedIn <https://www.linkedin.com/company/ultimum-technologies> |
>> Twitter <https://twitter.com/ultimumtech> | Facebook
>> <https://www.facebook.com/ultimumtechnologies/timeline>
>>
>>
>> út 14. 12. 2021 v 0:52 odesílatel Ghanshyam Mann <gmann at ghanshyammann.com>
>> napsal:
>>
>>>  ---- On Mon, 13 Dec 2021 11:33:27 -0600 Michal Arbet <
>>> michal.arbet at ultimum.io> wrote ----
>>>  > Hello to eveyrone,
>>>  > Please, could someone help me with swift capabilities not working
>>> when I'm tempesting openstack test stack ?
>>>  > Tempest :
>>>  > rm -rf /tmp/tempest-lock/; refstack-client test -v -c
>>> /opt/tempest/tempest.conf -- --regex
>>> tempest.api.object_storage.test_account_quotas_negative.AccountQuotasNegativeTest
>>>  >
>>>  > (.venv) root at ca6353106d83:/opt/refstack-client# rm -rf
>>> /tmp/tempest-lock/; refstack-client test -v -c /opt/tempest/tempest.conf --
>>> --regex
>>> tempest.api.object_storage.test_account_quotas_negative.AccountQuotasNegativeTest
>>>  > 2021-12-13 17:44:33.001 4358 INFO tempest [-] Using tempest config
>>> file /etc/tempest/tempest.conf
>>>  > 2021-12-13 17:44:33,839 refstack_client:518 INFO Starting Tempest
>>> test...
>>>  > 2021-12-13 17:44:33.839 4358 INFO refstack_client [-] Starting
>>> Tempest test...
>>>  > {0} setUpClass
>>> (tempest.api.object_storage.test_account_quotas_negative.AccountQuotasNegativeTest)
>>> [0.000000s] ... FAILED
>>>  >
>>>  > Captured traceback:
>>>  > ~~~~~~~~~~~~~~~~~~~
>>>  >     Traceback (most recent call last):
>>>  >
>>>  >       File "/opt/refstack-client/.tempest/tempest/test.py", line 181,
>>> in setUpClass
>>>  >     raise value.with_traceback(trace)
>>>  >
>>>  >       File "/opt/refstack-client/.tempest/tempest/test.py", line 174,
>>> in setUpClass
>>>  >     cls.resource_setup()
>>>  >
>>>  >       File
>>> "/opt/refstack-client/.tempest/tempest/api/object_storage/test_account_quotas_negative.py",
>>> line 36, in resource_setup
>>>  >     super(AccountQuotasNegativeTest, cls).resource_setup()
>>>  >
>>>  >       File
>>> "/opt/refstack-client/.tempest/tempest/api/object_storage/base.py", line
>>> 95, in resource_setup
>>>  >     body = cls.capabilities_client.list_capabilities()
>>>  >
>>>  >       File
>>> "/opt/refstack-client/.tempest/tempest/lib/services/object_storage/capabilities_client.py",
>>> line 32, in list_capabilities
>>>  >     self._error_checker(resp, body)
>>>  >
>>>  >       File
>>> "/opt/refstack-client/.tempest/tempest/lib/common/rest_client.py", line
>>> 799, in _error_checker
>>>  >     raise exceptions.Unauthorized(resp_body, resp=resp)
>>>  >
>>>  >     tempest.lib.exceptions.Unauthorized: Unauthorized
>>>  > Details: {'code': 401, 'title': 'Unauthorized', 'message': 'The
>>> request you have made requires authentication.'}
>>>  >
>>>  >
>>>  > ==============================
>>>  > Failed 1 tests - output below:
>>>  > ==============================
>>>  >
>>>  > setUpClass
>>> (tempest.api.object_storage.test_account_quotas_negative.AccountQuotasNegativeTest)
>>>  >
>>> ----------------------------------------------------------------------------------------------
>>>  >
>>>  > Captured traceback:
>>>  > ~~~~~~~~~~~~~~~~~~~
>>>  >     Traceback (most recent call last):
>>>  >
>>>  >       File "/opt/refstack-client/.tempest/tempest/test.py", line 181,
>>> in setUpClass
>>>  >     raise value.with_traceback(trace)
>>>  >
>>>  >       File "/opt/refstack-client/.tempest/tempest/test.py", line 174,
>>> in setUpClass
>>>  >     cls.resource_setup()
>>>  >
>>>  >       File
>>> "/opt/refstack-client/.tempest/tempest/api/object_storage/test_account_quotas_negative.py",
>>> line 36, in resource_setup
>>>  >     super(AccountQuotasNegativeTest, cls).resource_setup()
>>>  >
>>>  >       File
>>> "/opt/refstack-client/.tempest/tempest/api/object_storage/base.py", line
>>> 95, in resource_setup
>>>  >     body = cls.capabilities_client.list_capabilities()
>>>  >
>>>  >       File
>>> "/opt/refstack-client/.tempest/tempest/lib/services/object_storage/capabilities_client.py",
>>> line 32, in list_capabilities
>>>  >     self._error_checker(resp, body)
>>>  >
>>>  >       File
>>> "/opt/refstack-client/.tempest/tempest/lib/common/rest_client.py", line
>>> 799, in _error_checker
>>>  >     raise exceptions.Unauthorized(resp_body, resp=resp)
>>>  >
>>>  >     tempest.lib.exceptions.Unauthorized: Unauthorized
>>>  > Details: {'code': 401, 'title': 'Unauthorized', 'message': 'The
>>> request you have made requires authentication.'}
>>>  >
>>>  >
>>>  >
>>>  > ======
>>>  > Totals
>>>  > ======
>>>  > Ran: 1 tests in 0.0000 sec.
>>>  >  - Passed: 0
>>>  >  - Skipped: 0
>>>  >  - Expected Fail: 0
>>>  >  - Unexpected Success: 0
>>>  >  - Failed: 1
>>>  > Sum of execute time for each test: 0.0000 sec.
>>>  >
>>>  > TEMPEST LOG :
>>>  >     Response - Headers: {'content-type': 'application/json',
>>> 'content-length': '114', 'www-authenticate': 'Keystone uri="
>>> http://192.168.205.254:5000"', 'x-trans-id':
>>> 'tx815e181e33fb4854b2631-0061b7787a', 'x-openstack-request-id':
>>> 'tx815e181e33fb4854b2631-0061b7787a', 'date': 'Mon, 13 Dec 2021 16:44:42
>>> GMT', 'connection': 'close', 'status': '401', 'content-location': '
>>> https://api.refstack.ultimum.cloud:8080/info'}
>>>  >         Body: b'{"error": {"code": 401, "title": "Unauthorized",
>>> "message": "The request you have made requires authentication."}}'
>>> _log_request_full
>>> /opt/refstack-client/.tempest/tempest/lib/common/rest_client.py:450
>>>  >
>>>  >
>>>  >
>>>  > Test from command line  and from curl
>>>  > . /etc/kolla/refstack.sh ; curl  -H "X-Auth-Token: $(openstack token
>>> issue -f value -c id)" https://api.refstack.ultimum.cloud:8080/info
>>>  > {"swift": {"version": "2.27.1.dev9", "strict_cors_mode": true,
>>> "policies": [{"name": "Policy-0", "aliases": "Policy-0", "default": true}],
>>> "allow_account_management": true, "account_autocreate": true,
>>> "max_file_size": 5368709122, "max_meta_name_length": 128,
>>> "max_meta_value_length": 256, "max_meta_count": 90,
>>> "max_meta_overall_size": 4096, "max_header_size": 8192,
>>> "max_object_name_length": 1024, "container_listing_limit": 10000,
>>> "account_listing_limit": 10000, "max_account_name_length": 256,
>>> "max_container_name_length": 256, "extra_header_count": 0},
>>> "container_sync": {"realms": {}}, "bulk_upload":
>>> {"max_containers_per_extraction": 10000, "max_failed_extractions": 1000},
>>> "bulk_delete": {"max_deletes_per_request": 10000, "max_failed_deletes":
>>> 1000}, "tempurl": {"methods": ["GET", "HEAD", "PUT", "POST", "DELETE"],
>>> "incoming_remove_headers": ["x-timestamp"], "incoming_allow_headers": [],
>>> "outgoing_remove_headers": ["x-object-meta-*"], "outgoing_allow_headers":
>>> ["x-object-meta-public-*"], "allowed_digests": ["sha1", "sha256",
>>> "sha512"]}, "ratelimit": {"account_ratelimit": 0.0,
>>> "max_sleep_time_seconds": 60.0, "container_ratelimits": [],
>>> "container_listing_ratelimits": []}, "container_quotas": {},
>>> "account_quotas": {}, "slo": {"max_manifest_segments": 1000,
>>> "max_manifest_size": 8388608, "yield_frequency": 10, "min_segment_size": 1,
>>> "allow_async_delete": false}}
>>>  >
>>>  > Python Swiftclient :
>>>  > ubuntu at deploy:/opt/kolla-ansible$  . /etc/kolla/refstack.sh ; swift
>>> --os-auth-url http://192.168.205.254:5000/v3 --auth-version 3
>>> --os-project-name refstack --os-project-domain-name default  --os-username
>>> refstack --os-user-domain-name default  --os-password SECRET capabilities
>>>  > Capabilities GET failed: http://192.168.205.254:8080/info 401
>>> Unauthorized  [first 60 chars of response] b'{"error": {"code": 401,
>>> "title": "Unauthorized", "message": '
>>>  > Failed Transaction ID: txc1d8607e26eb4cd587459-0061b7791b
>>>  >
>>>  >
>>>  >
>>>  > It looks like swift client is broken, isn't it ? Or ? Maybe
>>> kolla-ansible is creating bad roles and config ? (operator_roles,
>>> reselleradmin_roel ..etc ? ) Tempest is from master
>>>  > Thank you very much,Kevko
>>>
>>> Are you running it with dynamic creds or pre-provisioned creds ?
>>>
>>> Error is from  cls.capabilities_client which is initialized from
>>> CONF.object_storage.operator_role[1] which is 'member'
>>> role by default. what is your configuration for this?
>>>
>>> With default CONF.object_storage.operator_role as 'member' role, this
>>> test pass in upstream CI/CD so client is
>>> not broken but it is configuration  issue:
>>> https://zuul.opendev.org/t/openstack/build/b29147647370418fb9fbb0182832749d/log/job-output.txt#27292
>>>
>>>
>>> [1]
>>> https://github.com/openstack/tempest/blob/34432dc970d09a55572a68fa007575285e35b550/tempest/api/object_storage/base.py#L77
>>>
>>> -gmann
>>>
>>>  >
>>>  >
>>>  > Michal Arbet
>>>  > Openstack Engineer
>>>  >
>>>  > Ultimum Technologies a.s.
>>>  > Na Poříčí 1047/26, 11000 Praha 1
>>>  > Czech Republic
>>>  >
>>>  > +420 604 228 897
>>>  > michal.arbet at ultimum.io
>>>  > https://ultimum.io
>>>  >
>>>  > LinkedIn | Twitter | Facebook
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20211214/b3104b85/attachment-0001.htm>


More information about the openstack-discuss mailing list