OpenStack Manila-Ganesha Charm

denied resource manila for type-create command

Bug #1965524 reported by mickael batailler
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Manila-Ganesha Charm
New
Undecided
Unassigned

Bug Description

hi,

I have manila / manila Ganesha / cephFS installed.
When i tried to execute manila command for create type share like that : "manila type-create cephfsnfstype false", i have an error : "ERROR: Access was denied to this resource. (HTTP 403) (Request-ID: req-57788b41-36c9-48ee-9f43-fbec7dfd7e67)"

In attached file, is the log error

Any idea ?

Bests regards,

Mickaël

Revision history for this message
mickael batailler (jarbis31) wrote :
Revision history for this message
mickael batailler (jarbis31) wrote :

See my bundle used

Revision history for this message
mickael batailler (jarbis31) wrote :
Download full text (3.5 KiB)

Hi,

To give more informations, here are my environment variables used when i try to create type share:

OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=2c0bd72a087d40c5af6d22e89a823198
OS_INTERFACE=public
OS_CACERT=/home/jarbis/root-ca-vault.crt
OS_AUTH_URL=https://keystone.gd1.cloud:5000/v3
OS_USERNAME=admin
OS_PROJECT_ID=0763edaf84ab44d8a8c36f6cee097e73
OS_USER_DOMAIN_NAME=admin_domain
OS_PROJECT_NAME=admin
OS_PASSWORD=xxxxxxxxxxxxxxxxxxxxx
OS_IDENTITY_API_VERSION=3

I tried to unset some variables like OS_PROJECT_NAME or OS_PROJECT_ID because same problem :

[Tue Mar 15 16:04:26.122819 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] 2022-03-15 16:04:26.122 41781 DEBUG manila.api.openstack.wsgi [req-4a1c8025-5acf-4201-94ea-f84afeb78c5d e477a15dd8684c3fba27f5da6ec0ec82 0763edaf84ab44d8a8c36f6cee097e73 - 2c0bd72a087d40c5af6d22e89a823198 2c0bd72a087d40c5af6d22e89a823198] Action: 'create', calling method: Controller.__getattribute__.<locals>.version_select, body: {"share_type": {"name": "cephfsnfstype", "share_type_access:is_public": true, "extra_specs": {"driver_handles_share_servers": false}}} _process_stack /usr/lib/python3/dist-packages/manila/api/openstack/wsgi.py:797\x1b[00m
[Tue Mar 15 16:04:26.123194 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] /usr/lib/python3/dist-packages/oslo_policy/policy.py:1054: UserWarning: Policy share_type:create failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
[Tue Mar 15 16:04:26.123203 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] warnings.warn(msg)
[Tue Mar 15 16:04:26.123678 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] 2022-03-15 16:04:26.123 41781 DEBUG manila.policy [req-4a1c8025-5acf-4201-94ea-f84afeb78c5d e477a15dd8684c3fba27f5da6ec0ec82 0763edaf84ab44d8a8c36f6cee097e73 - 2c0bd72a087d40c5af6d22e89a823198 2c0bd72a087d40c5af6d22e89a823198] Policy check for share_type:create failed with credentials {'is_admin': True, 'user_id': 'e477a15dd8684c3fba27f5da6ec0ec82', 'user_domain_id': '2c0bd72a087d40c5af6d22e89a823198', 'system_scope': None, 'domain_id': None, 'project_id': '0763edaf84ab44d8a8c36f6cee097e73', 'project_domain_id': '2c0bd72a087d40c5af6d22e89a823198', 'roles': ['Admin', 'member', 'reader'], 'is_admin_project': True, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []} authorize /usr/lib/python3/dist-packages/manila/policy.py:208\x1b[00m
[Tue Mar 15 16:04:26.123962 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] 2022-03-15 16:04:26.123 41781 INFO manila.api.openstack.wsgi [req-4a1c8025-5acf-4201-94ea-f84afeb78c5d e477a15dd8684c3fba27f5da6ec0ec82 0763edaf84ab44d8a8c36f6cee097e73 - 2c0bd72a087d40c5af6d22e89a823198 2c0bd72a087d40c5af6d22e89a823198] HTTP exception thrown: Access was denied to this resource.\x1b[00m
[Tue Mar 15 16:04:26.124115 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] 202...

Read more...

Revision history for this message
mickael batailler (jarbis31) wrote :

I continue my investigation for manila denied access :

I see on /etc/manila folder a file named : policy.json.
In this file, i can read all rules relating manila actions.

To create a share type, i have this line: "share_type:create": "rule:system-admin" And system-admin is defined in this file like this : "system-admin": "role:admin and system_scope:all"

I execute command with admin user OpenStack. So i do not understand why it is not working. Is this file "policy.json" is used for manila ? Is this file is custom for manila ? Do you have a template and if yes, can i replace this file with your template ? In manila.conf file, i do not have oslo.policy RBAC section configured. How policy.json is read ?

I suspect a misconfiguration on manila.conf or in policy.json.

Many thanks for your help,

Best regards,

Mickaël

Revision history for this message
mickael batailler (jarbis31) wrote :

In addition, here is the policy.json file for manila

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.