Page MenuHomePhabricator

Keystone permissions exception when trying to approve Tool Labs membership request via Striker
Closed, ResolvedPublic

Description

2017-05-08T19:23:54Z [56544279b83846e5b7b70dde7835e2b6] django.request ERROR: Internal Server Error: /tools/membership/status/1
Traceback (most recent call last):
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/django/core/handlers/base.py", line 132, in get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "./striker/tools/views.py", line 347, in membership_status
    request.user.shellname,
  File "./striker/openstack.py", line 89, in grant_role
    keystone.roles.grant(self.role(role), user, project=project)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneclient/v3/roles.py", line 260, in grant
    **kwargs)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneclient/base.py", line 75, in func
    return f(*args, **new_kwargs)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneclient/base.py", line 404, in put
    method='PUT')
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneclient/base.py", line 228, in _update
    **kwargs)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneauth1/adapter.py", line 232, in put
    return self.request(url, 'PUT', **kwargs)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneauth1/adapter.py", line 380, in request
    resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneauth1/adapter.py", line 148, in request
    return self.session.request(url, method, **kwargs)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/positional/__init__.py", line 101, in inner
    return wrapped(*args, **kwargs)
  File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneauth1/session.py", line 655, in request
    raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:create_grant (HTTP 403) (Request-ID: req-d83a8d3e-dd18-422d-bfed-5251cc06fd7b)

Details

Related Gerrit Patches:

Event Timeline

bd808 created this task.May 8 2017, 7:37 PM
Restricted Application added projects: Cloud-Services, User-bd808. · View Herald TranscriptMay 8 2017, 7:37 PM

Granting the role using the openstack cli tool from californium works as expected:

$ openstack role add --user strikertest20170508 --project tools user
$ openstack role assignment list --user strikertest20170508
+----------------------------------+---------------------+-------+---------+--------+-----------+
| Role                             | User                | Group | Project | Domain | Inherited |
+----------------------------------+---------------------+-------+---------+--------+-----------+
| f473273fac7146b3bdbf22e5d4504f95 | strikertest20170508 |       | tools   |        | False     |
+----------------------------------+---------------------+-------+---------+--------+-----------+
$ openstack role remove --user strikertest20170508 --project tools user
$ openstack role assignment list --user strikertest20170508

My current hunch is that this is being blocked because Striker is asking to talk to the public endpoint for the identity service rather than the admin endpoint (i.e. talking to port 5000 instead of port 35357).

Change 352689 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[labs/striker@master] openstack: Interact with keystone via 'admin' interface

https://gerrit.wikimedia.org/r/352689

I tested the patch from https://gerrit.wikimedia.org/r/352689 by cherry-picking on californium and it did not solve the issue.

It turns out that the poorly documented trick needed is that when authenticating to keystone the project_id passed must be the id for the admin project in order to get super user privileges and that without super user privileges you can't alter grants. The permissions must be looser in my testing environments somehow because authenticating with id of the tools project works fine there.

Change 352689 merged by jenkins-bot:
[labs/striker@master] openstack: Role modifications require global admin rights

https://gerrit.wikimedia.org/r/352689

Change 352719 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[labs/striker/deploy@master] Bump striker submodule

https://gerrit.wikimedia.org/r/352719

Change 352719 merged by jenkins-bot:
[labs/striker/deploy@master] Bump striker submodule

https://gerrit.wikimedia.org/r/352719

Mentioned in SAL (#wikimedia-operations) [2017-05-08T22:54:04Z] <bd808@tin> Started deploy [striker/deploy@00e8545]: openstack: Role modifications require global admin rights (T164787)

Mentioned in SAL (#wikimedia-operations) [2017-05-08T22:54:31Z] <bd808@tin> Finished deploy [striker/deploy@00e8545]: openstack: Role modifications require global admin rights (T164787) (duration: 00m 27s)

bd808 closed this task as Resolved.May 8 2017, 11:04 PM
bd808 moved this task from Backlog to Done on the Striker board.Aug 24 2017, 7:29 PM