Cannot create cron-trigger using trust-scoped token

Bug #1721508 reported by Nikolay Makhotkin
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Mistral
In Progress
High
Victor Coutellier

Bug Description

Due to that it is impossible to do the following:

Create a workflow that creates a trigger.
Create a trigger which runs the workflow above.

So, in the workflow it will be used trust-scoped token for requesting to Mistral. During mistralclient call cron_triggers.create() mistral server crashes and return 500 with trace:

Server-side error: "Authorization failed: You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-ed3cd937-cad2-4895-b8fe-9edf64a3b1aa)". Detail:
Traceback (most recent call last):

  File "/opt/mistral/local/lib/python2.7/site-packages/wsmeext/pecan.py", line 85, in callfunction
    result = f(self, *args, **kwargs)

  File "/opt/mistral/local/lib/python2.7/site-packages/mistral/api/controllers/v2/cron_trigger.py", line 73, in post
    workflow_id=values.get('workflow_id')
  File "/opt/mistral/local/lib/python2.7/site-packages/mistral/services/triggers.py", line 127, in create_cron_trigger
    security.add_trust_id(trigger_parameters)
  File "/opt/mistral/local/lib/python2.7/site-packages/mistral/services/security.py", line 110, in add_trust_id
    trust = create_trust()
  File "/opt/mistral/local/lib/python2.7/site-packages/mistral/services/security.py", line 41, in create_trust
    client = keystone.client()
  File "/opt/mistral/local/lib/python2.7/site-packages/mistral/utils/openstack/keystone.py", line 42, in client
    auth_url=auth_url
  File "/opt/mistral/local/lib/python2.7/site-packages/keystoneclient/v3/client.py", line 246, in __init__
    self.authenticate()
  File "/opt/mistral/local/lib/python2.7/site-packages/positional/__init__.py", line 108, in inner
    return wrapped(*args, **kwargs)
  File "/opt/mistral/local/lib/python2.7/site-packages/keystoneclient/httpclient.py", line 581, in authenticate
    resp = self.get_raw_token_from_identity_service(**kwargs)
  File "/opt/mistral/local/lib/python2.7/site-packages/keystoneclient/v3/client.py", line 332, in get_raw_token_from_identity_service
    _('Authorization failed: %s') % e)

Probably there is wrong client initialization in mistral/utils/openstack/keystone.py", line 42

Steps to reproduce:

1. Create a keystone trust
2. Create a token using this trust (Token used inside the workflow above can be just picked from the database, column context)
3. Try to request mistral
curl http://10.10.0.1:8989/v2/cron_triggers -H "X-Auth-Token: $trust_token" -H "Content-Type: application/json" -X POST -d '{"name": "test_trigger", "workflow_name": "test_cron_trigger", "remaining_executions": "1", "pattern": "* * * * *"}'

{"debuginfo": null, "faultcode": "Server", "faultstring": "Authorization failed: You are not authorized to perform the requested action. (HTTP 403) (Request-ID: req-ed3cd937-cad2-4895-b8fe-9edf64a3b1aa)"}

4. Try to use this token to request something else (to verify it is valid)

curl http://10.10.0.1:5000/v3/projects -H "X-Auth-Token: $trust_token"

{"projects": [ ... ]}

5. Eventually we get the project list.

Changed in mistral:
milestone: queens-1 → queens-2
Changed in mistral:
milestone: queens-2 → queens-3
Changed in mistral:
milestone: queens-3 → rocky-1
Dougal Matthews (d0ugal)
Changed in mistral:
milestone: rocky-1 → rocky-2
status: Confirmed → Triaged
Dougal Matthews (d0ugal)
Changed in mistral:
status: Triaged → Confirmed
milestone: rocky-2 → rocky-3
Dougal Matthews (d0ugal)
Changed in mistral:
milestone: rocky-3 → stein-1
Dougal Matthews (d0ugal)
Changed in mistral:
milestone: stein-1 → none
Revision history for this message
ITD27M01 (igortiunov) wrote :

Hi Guys!

Is there any update?

Changed in mistral:
assignee: nobody → Victor Coutellier (alistarle)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to mistral (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/mistral/+/868425

Changed in mistral:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on mistral (master)

Change abandoned by "Victor Coutellier <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/mistral/+/868425
Reason: PR have been made to rocky branch: https://gerrit.ovh.tools/c/RDCLOUDPUBLICCLOUD/mistral/+/6346

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.