ironic-inspector: Access was denied to baremetal:port:create

Bug #2064655 reported by Marius L
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ironic
Invalid
Undecided
Unassigned
Ironic Inspector
Invalid
Undecided
Unassigned
kolla-ansible
Fix Released
Undecided
Matt Crees

Bug Description

ironic-inspector user is not allowed by the ironic policy to manage ports.
After inspection is done, it can't create the discovered bare-metal ports.

Kolla-Ansible: 17.1.0
OpenStack images: master-ubuntu-jammy (Caracal)

```
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process [-] Unexpected exception during processing: openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: http://10.10.0.100:6385/v1/ports, Access was denied to the following resource: baremetal:port:create
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process Traceback (most recent call last):
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/ironic_inspector/process.py", line 237, in process
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process result = _process_node(node_info, node, introspection_data)
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/ironic_inspector/node_cache.py", line 582, in inner
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process return func(node_info, *args, **kwargs)
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/ironic_inspector/node_cache.py", line 552, in inner
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process with excutils.save_and_reraise_exception():
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/oslo_utils/excutils.py", line 227, in __exit__
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process self.force_reraise()
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/oslo_utils/excutils.py", line 200, in force_reraise
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process raise self.value
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/ironic_inspector/node_cache.py", line 544, in inner
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process ret = func(node_info, *args, **kwargs)
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/ironic_inspector/process.py", line 271, in _process_node
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process _run_post_hooks(node_info, introspection_data)
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/ironic_inspector/process.py", line 263, in _run_post_hooks
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process hook_ext.obj.before_update(introspection_data, node_info)
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/ironic_inspector/plugins/standard.py", line 293, in before_update
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process node_info.create_ports(list(interfaces.values()))
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/ironic_inspector/node_cache.py", line 340, in create_ports
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process self._create_port(mac, ironic=ironic, extra=extra,
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/ironic_inspector/node_cache.py", line 365, in _create_port
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process port = ironic.create_port(
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/openstack/baremetal/v1/_proxy.py", line 769, in create_port
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process return self._create(_port.Port, **attrs)
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/openstack/proxy.py", line 644, in _create
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process return res.create(self, base_path=base_path)
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/openstack/resource.py", line 1533, in create
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process self._translate_response(response, **response_kwargs)
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/openstack/resource.py", line 1285, in _translate_response
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process exceptions.raise_from_response(response, error_message=error_message)
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process File "/var/lib/kolla/venv/lib/python3.10/site-packages/openstack/exceptions.py", line 247, in raise_from_response
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process raise cls(
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: http://10.10.0.100:6385/v1/ports, Access was denied to the following resource: baremetal:port:create
2024-05-02 15:46:23.568 7 ERROR ironic_inspector.process

```

Tags: ironic
Revision history for this message
Luca Del Monte (squalluca) wrote :

I also had the same issue, i guess it is not a bug, basically if you create the baremetal node with system_scope=all the owner field of the node is empty, in order to be able have ironic-inspector able to create port related to a baremetal node you need to set the owner of the node to the service project_id.

Afonne-CID (cidelight)
Changed in ironic:
status: New → Invalid
Changed in ironic-inspector:
status: New → Invalid
Changed in kolla-ansible:
status: New → Invalid
Revision history for this message
Afonne-CID (cidelight) wrote :

This very likely concerns the scope of permissions and is not necessarily a bug. I am marking it as invalid at the moment, feel free to reopen if otherwise.

Revision history for this message
Will Szumski (willjs) wrote :

> This very likely concerns the scope of permissions and is not necessarily a bug. I am marking it as invalid at the moment, feel free to reopen if otherwise.

Thanks for taking a look. I've reopened the issue against kolla-ansible as from what you say, this could be a misconfiguration with ironic-inspector. We were thinking of using a system scoped service role for the ironic-inspector user; Does that sound workable?

Changed in kolla-ansible:
status: Invalid → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)
Changed in kolla-ansible:
status: Triaged → In Progress
Matt Crees (mattcrees)
Changed in kolla-ansible:
assignee: nobody → Matt Crees (mattcrees)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to kolla-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/935357

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/934415
Committed: https://opendev.org/openstack/kolla-ansible/commit/e0c095fd7dc3467a487888809690405f131e6f8b
Submitter: "Zuul (22348)"
Branch: master

commit e0c095fd7dc3467a487888809690405f131e6f8b
Author: Matt Crees <email address hidden>
Date: Fri Nov 8 09:53:47 2024 +0000

    Give ironic-inspector system scope ``all``

    The ``ironic-inspector`` service user is now assigned the system scope
    ``all``. This allows it to create baremetal ports during node inspection
    again.

    Default project and domain vars are removed as you cannot combine these
    with system scope.

    Closes-Bug: #2064655
    Change-Id: I5e3c29faae4c2531b269c37874ade368c1aab39f

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/2024.2)

Fix proposed to branch: stable/2024.2
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/936125

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.