2017-05-08T19:23:54Z [56544279b83846e5b7b70dde7835e2b6] django.request ERROR: Internal Server Error: /tools/membership/status/1
Traceback (most recent call last):
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/django/core/handlers/base.py", line 132, in get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "./striker/tools/views.py", line 347, in membership_status
request.user.shellname,
File "./striker/openstack.py", line 89, in grant_role
keystone.roles.grant(self.role(role), user, project=project)
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/positional/__init__.py", line 101, in inner
return wrapped(*args, **kwargs)
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneclient/v3/roles.py", line 260, in grant
**kwargs)
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneclient/base.py", line 75, in func
return f(*args, **new_kwargs)
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneclient/base.py", line 404, in put
method='PUT')
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneclient/base.py", line 228, in _update
**kwargs)
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneauth1/adapter.py", line 232, in put
return self.request(url, 'PUT', **kwargs)
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneauth1/adapter.py", line 380, in request
resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneauth1/adapter.py", line 148, in request
return self.session.request(url, method, **kwargs)
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/positional/__init__.py", line 101, in inner
return wrapped(*args, **kwargs)
File "/srv/deployment/striker/venv/lib/python3.4/site-packages/keystoneauth1/session.py", line 655, in request
raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:create_grant (HTTP 403) (Request-ID: req-d83a8d3e-dd18-422d-bfed-5251cc06fd7b)Description
Description
Details
Details
| Project | Branch | Lines +/- | Subject | |
|---|---|---|---|---|
| labs/striker/deploy | master | +1 -1 | Bump striker submodule | |
| labs/striker | master | +13 -7 | openstack: Role modifications require global admin rights |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T189531 All Wikimedia developer services should use single sign-on | |||
| Open | None | T161859 Make Wikitech an SUL wiki | |||
| Open | None | T106123 Extensions needing to be removed from Wikimedia wikis | |||
| Resolved | • Marostegui | T164887 Drop Semantic Database tables from wikitech wikis | |||
| Resolved | bd808 | T53642 Get rid of SemanticMediaWiki/SRF/SF from wikitech.wikimedia.org | |||
| Resolved | bd808 | T162508 Implement Tool Labs membership application and processing in Striker | |||
| Resolved | bd808 | T164787 Keystone permissions exception when trying to approve Tool Labs membership request via Striker |
Event Timeline
Comment Actions
Granting the role using the openstack cli tool from californium works as expected:
$ openstack role add --user strikertest20170508 --project tools user $ openstack role assignment list --user strikertest20170508 +----------------------------------+---------------------+-------+---------+--------+-----------+ | Role | User | Group | Project | Domain | Inherited | +----------------------------------+---------------------+-------+---------+--------+-----------+ | f473273fac7146b3bdbf22e5d4504f95 | strikertest20170508 | | tools | | False | +----------------------------------+---------------------+-------+---------+--------+-----------+ $ openstack role remove --user strikertest20170508 --project tools user $ openstack role assignment list --user strikertest20170508
Comment Actions
My current hunch is that this is being blocked because Striker is asking to talk to the public endpoint for the identity service rather than the admin endpoint (i.e. talking to port 5000 instead of port 35357).
Comment Actions
Change 352689 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[labs/striker@master] openstack: Interact with keystone via 'admin' interface
Comment Actions
I tested the patch from https://gerrit.wikimedia.org/r/352689 by cherry-picking on californium and it did not solve the issue.
Comment Actions
It turns out that the poorly documented trick needed is that when authenticating to keystone the project_id passed must be the id for the admin project in order to get super user privileges and that without super user privileges you can't alter grants. The permissions must be looser in my testing environments somehow because authenticating with id of the tools project works fine there.
Comment Actions
Change 352689 merged by jenkins-bot:
[labs/striker@master] openstack: Role modifications require global admin rights
Comment Actions
Change 352719 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[labs/striker/deploy@master] Bump striker submodule
Comment Actions
Change 352719 merged by jenkins-bot:
[labs/striker/deploy@master] Bump striker submodule
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2017-05-08T22:54:04Z] <bd808@tin> Started deploy [striker/deploy@00e8545]: openstack: Role modifications require global admin rights (T164787)
Comment Actions
Mentioned in SAL (#wikimedia-operations) [2017-05-08T22:54:31Z] <bd808@tin> Finished deploy [striker/deploy@00e8545]: openstack: Role modifications require global admin rights (T164787) (duration: 00m 27s)