Magnum

Unable to resize cluster after upgrading to Bobcat

Bug #2076052 reported by Jake Yip on 2024-08-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Magnum	Fix Released	Undecided	Unassigned

Bug Description

In Bobcat, the RBAC policies were updated [1] to support the 'secure-rbac' blueprint.

During this change, a bug was found in Heat drivers on how Trusts are used. Essentially, the Heat driver has been wrongly using the trustee's credentials instead of the trustor's credential. This bug was fixed in the same cycle [2].

However, as the fix is in the Heat template, clusters that have been created before Bobcat will not have the fix. They will be unable to resize once Magnum is upgraded to Bobcat.

[1] https://review.opendev.org/c/openstack/magnum/+/874945
[2] https://review.opendev.org/c/openstack/magnum/+/889144

See original description

Jake Yip (waipengyip) on 2024-08-05

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-08-12: Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/magnum/+/926143

Changed in magnum:
status:	New → In Progress

Revision history for this message

Jake Yip (waipengyip) wrote on 2024-08-13:

In addition to the above fix, the following policies may also be needed in /etc/magnum/policy.yaml

'certificate:create': 'rule:admin_or_project_member_user or rule:cluster_user'
'certificate:get': 'rule:admin_or_project_reader_user or rule:cluster_user'

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-09-25: Fix merged to magnum (master)

Reviewed: https://review.opendev.org/c/openstack/magnum/+/926143
Committed: https://opendev.org/openstack/magnum/commit/813e206e1b32c20210915668db459bac242302bf
Submitter: "Zuul (22348)"
Branch: master

commit 813e206e1b32c20210915668db459bac242302bf
Author: Jake Yip <email address hidden>
Date: Mon Aug 12 23:40:04 2024 +1000

Fix certs ops as trustee for existing clusters

    Change I249942a355577c4f1ef51b3988f0cc4979959d0b updated the domain_id
    field in context from domain_id to user_domain_id. Update the detection
    code here according.

    Without this, existing clusters will not be able to do some operations
    like resize. New clusters are OK because of the subsequent Change
    If5b31951959c7a141dc1cae5fefcabe4ebf438b3.

[1] https://opendev.org/openstack/magnum/commit/5971243169c5df863ebe81cff7ebd07f190b840a#diff-145868d956788eb211486eb4de153c9db680ac16

Closes-Bug: #2076052
Change-Id: Ibefb9bc35c85e30d2e1ccff252217bb4905eb1af

Changed in magnum:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2025-03-17: Fix included in openstack/magnum 20.0.0.0rc1

This issue was fixed in the openstack/magnum 20.0.0.0rc1 Epoxy release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.