Activity log for bug #2049762

Date Who What changed Old value New value Message
2024-01-18 13:41:47 Franciszek Przewoźny bug added bug
2024-01-18 13:44:25 Franciszek Przewoźny tags kolla-ansible cinder kolla-ansible nova
2024-01-18 13:57:51 Franciszek Przewoźny bug added subscriber Damian
2024-01-18 14:05:14 Franciszek Przewoźny bug task added ossa
2024-01-18 14:05:26 Franciszek Przewoźny bug task added ossn
2024-01-18 14:10:13 Franciszek Przewoźny description Hi all, It seems, that configuration done by kolla-ansible regarding service tokens seems to be not compliant with the documentation. If I'm right, this might mean that OSSA-2023-003 isn't fully fixed there. https://docs.openstack.org/cinder/2023.2/configuration/block-storage/service-token.html#configuration 1. Send service token Section [service_user] is not defined at all for Cinder: https://github.com/openstack/kolla-ansible/blob/stable/2023.2/ansible/roles/cinder/templates/cinder.conf.j2, Nova got it defined: https://github.com/openstack/kolla-ansible/blob/stable/2023.2/ansible/roles/nova/templates/nova.conf.j2#L211 2. Service role From documentation "The default service role is service, but we can use a different name or even have multiple service roles", where in kolla-ansible, Nova service jinja does not have parameter to be set for service_token_roles, and it uses default "service", Cinder on the other hand have HARDCODED "admin" value (https://github.com/openstack/kolla-ansible/blob/stable/2023.2/ansible/roles/cinder/templates/cinder.conf.j2#L119), and that's where I'm a bit lost. I thought that service users "nova" and "cinder" should have only f.e. "service" role in "service" project, not some multiple roles including "admin" one. 3. Policies not prepared for "service" role only Configuration of other role "service" for services (tested with Neutron and Placement), cannot be done as there are policies restricting some API calls, f.e.: Neutron: ERROR neutron.notifiers.nova novaclient.exceptions.Forbidden: Policy doesn't allow os_compute_api:os-server-external-events:create to be performed. (HTTP 403) Policy restricting that call is: "os_compute_api:os-server-external-events:create": "rule:context_is_admin" And rule:context_is_admin definition is: "context_is_admin": "role:admin" Which totally blocks any effort put into getting rid of "admin" service role for other services. My environment isn't kolla-ansible, but I'm using kolla's jinja templates as a configuration reference sometimes. I'm raising this ticket, as it's a bit suspicious for me that something else is configured in kolla, than is described in manual. Best regards, Franciszek Hi all, It seems, that configuration done by kolla-ansible regarding service tokens seems to be not compliant with the documentation. If I'm right, this might mean that OSSA-2023-003 isn't fully fixed there. https://docs.openstack.org/cinder/2023.2/configuration/block-storage/service-token.html#configuration 1. Send service token   Section [service_user] is not defined at all for Cinder: https://github.com/openstack/kolla-ansible/blob/stable/2023.2/ansible/roles/cinder/templates/cinder.conf.j2, Nova got it defined: https://github.com/openstack/kolla-ansible/blob/stable/2023.2/ansible/roles/nova/templates/nova.conf.j2#L211 2. Service role   From documentation "A service role is nothing more than a Keystone role that allows a deployment to identify a service without the need to make them admins", and later: "The default service role is service, but we can use a different name or even have multiple service roles", where in kolla-ansible, Nova service jinja does not have parameter to be set for service_token_roles, and it uses default "service", Cinder on the other hand have HARDCODED "admin" value (https://github.com/openstack/kolla-ansible/blob/stable/2023.2/ansible/roles/cinder/templates/cinder.conf.j2#L119), and that's where I'm a bit lost. I thought that service users "nova" and "cinder" should have only f.e. "service" role in "service" project, not some multiple roles including "admin" one. 3. Policies not prepared for "service" role only   Configuration of other role "service" for services (tested with Neutron and Placement), cannot be done as there are policies restricting some API calls, f.e.:   Neutron:   ERROR neutron.notifiers.nova novaclient.exceptions.Forbidden: Policy doesn't allow os_compute_api:os-server-external-events:create to be performed. (HTTP 403)   Policy restricting that call is:   "os_compute_api:os-server-external-events:create": "rule:context_is_admin"   And rule:context_is_admin definition is:   "context_is_admin": "role:admin"   Which totally blocks any effort put into getting rid of "admin" service role for other services. My environment isn't kolla-ansible, but I'm using kolla's jinja templates as a configuration reference sometimes. I'm raising this ticket, as it's a bit suspicious for me that something else is configured in kolla, than is described in manual. Best regards, Franciszek
2024-01-22 18:33:59 Franciszek Przewoźny information type Private Security Public Security
2024-01-30 15:16:03 Maksim Malchuk bug added subscriber Maksim Malchuk
2024-01-31 11:08:17 Bartosz Bezak bug added subscriber Bartosz Bezak
2024-01-31 17:49:39 Sven Kieske bug added subscriber Sven Kieske
2024-02-06 15:37:24 OpenStack Infra kolla-ansible: status New In Progress
2024-02-19 10:39:38 OpenStack Infra tags cinder kolla-ansible nova cinder in-stable-zed kolla-ansible nova
2024-02-19 10:39:42 OpenStack Infra tags cinder in-stable-zed kolla-ansible nova cinder in-stable-zed in-unmaintained-yoga kolla-ansible nova
2024-02-19 19:16:44 Maksim Malchuk nominated for series kolla-ansible/bobcat
2024-02-19 19:16:44 Maksim Malchuk bug task added kolla-ansible/bobcat
2024-02-19 19:16:44 Maksim Malchuk nominated for series kolla-ansible/zed
2024-02-19 19:16:44 Maksim Malchuk bug task added kolla-ansible/zed
2024-02-19 19:16:44 Maksim Malchuk nominated for series kolla-ansible/caracal
2024-02-19 19:16:44 Maksim Malchuk bug task added kolla-ansible/caracal
2024-02-19 19:16:44 Maksim Malchuk nominated for series kolla-ansible/antelope
2024-02-19 19:16:44 Maksim Malchuk bug task added kolla-ansible/antelope
2024-02-19 19:16:44 Maksim Malchuk nominated for series kolla-ansible/yoga
2024-02-19 19:16:44 Maksim Malchuk bug task added kolla-ansible/yoga
2024-02-19 19:17:34 Maksim Malchuk kolla-ansible/antelope: status New In Progress
2024-02-19 19:17:40 Maksim Malchuk kolla-ansible/bobcat: status New Confirmed
2024-02-19 19:17:46 Maksim Malchuk kolla-ansible/yoga: status New In Progress
2024-02-19 19:17:49 Maksim Malchuk kolla-ansible/zed: status New In Progress
2024-02-20 14:24:37 OpenStack Infra kolla-ansible: status In Progress Fix Released
2024-02-29 20:27:31 OpenStack Infra kolla-ansible/zed: status In Progress Fix Committed
2024-02-29 20:54:52 OpenStack Infra kolla-ansible/yoga: status In Progress Fix Committed
2024-02-29 22:56:33 Maksim Malchuk kolla-ansible/antelope: status In Progress Fix Committed
2024-02-29 22:56:37 Maksim Malchuk kolla-ansible/bobcat: status Confirmed Fix Committed
2024-03-06 20:10:36 OpenStack Infra kolla-ansible/antelope: status Fix Committed Fix Released
2024-03-06 20:11:40 OpenStack Infra kolla-ansible/bobcat: status Fix Committed Fix Released
2024-03-06 20:12:38 OpenStack Infra kolla-ansible/zed: status Fix Committed Fix Released