Page MenuHomePhabricator
Create Task
Maniphest T346453

[cumin] [openstack] Openstack backend fails when project is not set
Open, Stalled, HighPublicBUG REPORT
Actions

Description

This happens both in cloudcumin1001 and in cloud-cumin-03.

Note: as a workaround until this task is resolved, we manually applied the patch https://gerrit.wikimedia.org/r/c/operations/software/cumin/+/868814 to both cloudcumin1001 and cloud-cumin-03, overwriting the file /usr/lib/python3/dist-packages/cumin/backends/openstack.py

What happens?:

fnegri@cloudcumin1001:~$ sudo cumin 'O{*}'
Caught Unauthorized exception: The request you have made requires authentication. (HTTP 401) (Request-ID: req-1a882424-b48f-47f7-885c-fcad991fc231)

What should have happened instead?:

Cumin should list all hosts in all projects. This used to work until a few weeks/months ago in cloud-cumin-03. It was never tested in cloudcumin1001.

Other information (browser name/version, screenshots, etc.):

Stack trace: https://phabricator.wikimedia.org/P52513

@Andrew tried to apply this patch manually to cloud-cumin-03 and it fixed the issue: https://gerrit.wikimedia.org/r/c/operations/software/cumin/+/868814

Details

SubjectRepoBranchLines +/-
add domain param to openstack backendoperations/software/cuminmaster+93 -33
Customize query in gerrit

Related Objects
Search...

Event Timeline

fnegri created this task.Sep 15 2023, 3:58 PM
Restricted Application added a project: Infrastructure-Foundations. · View Herald TranscriptSep 15 2023, 3:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
gerritbot added a comment.Sep 15 2023, 3:59 PM

Change 868814 had a related patch set uploaded (by FNegri; author: Andrew Bogott):

[operations/software/cumin@master] add domain param to openstack backend

https://gerrit.wikimedia.org/r/868814

gerritbot added a project: Patch-For-Review.Sep 15 2023, 3:59 PM
fnegri claimed this task.Sep 15 2023, 4:12 PM
fnegri triaged this task as Medium priority.
fnegri added a project: cloud-services-team (FY2023/2024-Q1-Q2).
Volans added a comment.Sep 19 2023, 1:45 PM

@fnegri thanks for the task. Have you checked on the openstack logs if there is anything explicit on what the missing permission was?

From the cumin logs:

2023-09-19 13:23:26,434 [DEBUG 282873 keystoneauth.identity.v3.base.get_auth_ref] Making authentication request to https://openstack.eqiad1.wikimediacloud.org:25000/v3/auth/tok
ens
2023-09-19 13:23:26,436 [DEBUG 282873 urllib3.connectionpool._new_conn] Starting new HTTPS connection (1): openstack.eqiad1.wikimediacloud.org:25000
2023-09-19 13:23:27,023 [DEBUG 282873 urllib3.connectionpool._make_request] https://openstack.eqiad1.wikimediacloud.org:25000 "POST /v3/auth/tokens HTTP/1.1" 401 None
2023-09-19 13:23:27,026 [DEBUG 282873 keystoneauth.session.request] Request returned failure status: 401

But a previous call to the same endpoint was successful at the start of the same run:

2023-09-19 13:23:25,348 [DEBUG 282873 urllib3.connectionpool._make_request] https://openstack.eqiad1.wikimediacloud.org:25000 "POST /v3/auth/tokens HTTP/1.1" 201 None

And those were the only 2 calls made to that api:

$ sudo grep "POST /v3/auth/tokens" /var/log/cumin/cumin.log
2023-09-19 13:23:25,348 [DEBUG 282873 urllib3.connectionpool._make_request] https://openstack.eqiad1.wikimediacloud.org:25000 "POST /v3/auth/tokens HTTP/1.1" 201 None
2023-09-19 13:23:27,023 [DEBUG 282873 urllib3.connectionpool._make_request] https://openstack.eqiad1.wikimediacloud.org:25000 "POST /v3/auth/tokens HTTP/1.1" 401 None

So I'm wondering if this was some sort of re-authentication from keystoneauth because of expired token or because it had to authenticate for another domain or similar and that failed because of lack of authorization.

That said, yes I know there are the 2 pending patches and I should really find the time to debug/test/work on them. This is also the end of the quarter and I'm fairly busy finishing things, do you think it could wait the beginning of October?

fnegri added a comment.Sep 19 2023, 1:59 PM

@Volans October is fine, we'll make sure that the CI is passing in the meantime.

wondering if this was some sort of re-authentication from keystoneauth because of expired token or because it had to authenticate for another domain

I think this is because of the domain, but I'm not 100% sure.

fnegri mentioned this in T347428: cumin and cloud-vps instances not working.Sep 27 2023, 9:29 AM
fnegri added a parent task: T347428: cumin and cloud-vps instances not working.Sep 27 2023, 11:56 AM
fnegri raised the priority of this task from Medium to High.Oct 20 2023, 4:54 PM
JMeybohm subscribed.Oct 25 2023, 5:34 PM
fnegri changed the task status from Open to In Progress.Oct 26 2023, 4:09 PM
fnegri moved this task from Backlog to In progress on the cloud-services-team (FY2023/2024-Q1-Q2) board.
fnegri reassigned this task from fnegri to Volans.Dec 13 2023, 12:31 PM
fnegri edited projects, added cloud-services-team; removed cloud-services-team (FY2023/2024-Q1-Q2).
fnegri moved this task from Inbox to Watching on the cloud-services-team board.
Volans merged a task: T208861: cumin: Support multiple OpenStack regions.Jan 8 2024, 3:36 PM
Volans added subscribers: GTirloni, gerritbot, crusnov, Krenair.
fnegri updated the task description. (Show Details)Apr 4 2024, 1:07 PM
fnegri claimed this task.Apr 8 2024, 9:09 AM
fnegri edited projects, added cloud-services-team (FY2023/2024-Q3-Q4); removed cloud-services-team.
fnegri moved this task from Backlog to In progress on the cloud-services-team (FY2023/2024-Q3-Q4) board.Apr 9 2024, 2:18 PM
fnegri updated the task description. (Show Details)Apr 11 2024, 10:41 AM
fnegri changed the task status from In Progress to Stalled.Apr 15 2024, 12:38 PM

Last week I tried reproducing this in a local DevStack environment. I was partially successful but I could not test all the scenarios I had in mind because I had some issues setting up the environment itself and I could not create servers.

I will move this back to "Stalled" but when I have some more time I would like to test the following scenarios:

  • Running Cumin with O{*}, O{domain:foo} and O{project:bar}
  • Each of the above with different user roles (any combination of admin, member, or reader on system, domain or project scopes)

Another thing we want to ensure is that Cumin is working both when the policy os_compute_api:servers:index:get_all_tenants is set to True and when it is set to False. Given that this policy is by default set to context_is_admin (which by default maps to role:admin), testing the different roles listed above (admin, member, reader) in an environment with default settings should be enough.

fnegri moved this task from In progress to Blocked on the cloud-services-team (FY2023/2024-Q3-Q4) board.Apr 15 2024, 12:51 PM
Volans mentioned this in T325773: Cumin/Openstack: multi-project commands are extremely slow.Apr 16 2024, 8:52 AM
Volans merged a task: T325773: Cumin/Openstack: multi-project commands are extremely slow.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL