OpenStack Identity (keystone)

[stein] Cannot get openstack role assignment list --names --system all output when all is fulfilled

Bug #1945988 reported by Jan Wasilewski
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
New
Undecided
Unassigned

Bug Description

I upgraded OpenStack cloud from rocky to stein and tried to setup new policies as described in release documentation. However I cannot retrieve some information, i.e. command defined in topic.

When executed:
openstack role assignment list --names --system all
output is:
You are not authorized to perform the requested action: identity:list_role_assignments. (HTTP 403) (Request-ID: req-6a27ecd6-7cef-41e4-8470-cf1037f383ac)

That is visible in log print: https://paste.opendev.org/show/809759/

Policy.yaml file is here: https://paste.opendev.org/show/809760/

Warning message is incorrect and says:

2021-10-04 14:20:40.378 1363 WARNING py.warnings [req-6a27ecd6-7cef-41e4-8470-cf1037f383ac f42df418fd404d04b9bdabf2f1b49fd9 509b380257a943b6809c4826e6be372c - default default] /usr/lib/python3/dist-packages/oslo_policy/policy.py:679: UserWarning: Policy "identity:get_mapping":"rule:admin_required" was deprecated in S in favor of "identity:list_mappings":"role:reader and system_scope:all". Reason:

When I removed "identity:get_mapping" from policy file, warning message is like here: https://paste.opendev.org/show/809761/

And when I setup this rule to the value proposed in warning message, I get warning like here: https://paste.opendev.org/show/809762/

So it looks like a problem is looping and doesn't make a sense.

Besides of that it is incorrect that I cannot retrieve output from this command, as my reader user is system all scoped and I should be able to retrieve role assignment list.

I'm trying to get this for user jwasilewski:
openstack role assignment list --names --system all
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+--------+---------------------+-------------------+---------+--------+--------+-----------+
| admin | | Adm.Admin@Default | | | all | False |
| reader | jwasilewski@Default | | | | all | False |
+--------+---------------------+-------------------+---------+--------+--------+-----------+

But I'm not sure why 'system_scope': None is defined in logs. Seems it is incorrect behavior.

Keystone packages version:
dpkg -l | grep keystone
ii keystone 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Daemons
ii keystone-common 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Common files
ii python3-keystone 2:15.0.1-0ubuntu1~cloud0 all OpenStack identity service - Python 3 library
ii python3-keystoneauth1 3.13.1-0ubuntu1~cloud0 all authentication library for OpenStack Identity - Python 3.x
ii python3-keystoneclient 1:3.19.0-0ubuntu1~cloud0 all client library for the OpenStack Keystone API - Python 3.x
ii python3-keystonemiddleware 6.0.0-0ubuntu1~cloud0 all Middleware for OpenStack Identity (Keystone) - Python 3.x

OS version:
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"

See original description
Tags: policy
Jan Wasilewski (janwasilewski)
description: updated
Revision history for this message
Lance Bragstad (lbragstad) wrote :

Hi Jan,

It looks like the policy you're failing is:

"identity:list_role_assignments": "(role:reader and system_scope:all) or (role:reader and domain_id:%(target.domain_id)s)"

Are you using a system-scoped token to make the request?

You can find more information on the various personas and how to use them in keystone's documentation:

https://docs.openstack.org/keystone/latest/admin/service-api-protection.html

Revision history for this message
Jan Wasilewski (janwasilewski) wrote :

Hi Lance,

thanks for your response. Unfortunately I'm still facing such issue and I'm sure I'm using system-scoped token but I'm failing here.

In my request which I'm executing:
openstack role assignment list --names --os-system-scope all --debug

I'm able to see that system_scope is set to all:
(...)'system_scope': 'all'(...)

Full trace available here: https://paste.opendev.org/show/bTRFkQ8PWBIikGTdyPMN/

But from keystone logs it looks like system_scope is not taken into account at all as in DEBUG logs I got:

(...)'system_scope': None(...)

Full trace: https://paste.opendev.org/show/bbywldMgDz6w18GzFzyO/

Why keystone doesn't make a system scope into account? I see there is some wrong behaviour. I got the same output as well in train release of keystone.

Any advice is more than welcome here.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.