Comment 5 for bug 1592612

Hi guys,

This bug was previously marked as a duplicate of bug #1519170.

However, Lbaas TERMINATED_HTTPS is still not working for non-admin tenant even with bug #1519170 fixed.

I am going to reraise this bug and I assume that bug #1497410 and bug #1612588 will also have the same issue.

My test env is barbican(master), all other components are from stable/mitaka branch

The error I got was:
# source /home/stack/devstack/openrc admin demo
# neutron lbaas-listener-create --loadbalancer 40e04e16-4d84-46d8-8dcd-6717a734d37e --protocol-port 443 --protocol TERMINATED_HTTPS --name listener1 --default-tls-container
TLS container is invalid. Forbidden
Neutron server returns request_ids: ['req-6116a004-c17e-4a50-9ad6-f17380ce011a']

Related q-svc.log and barbican-svc.log will be attached on next comment.

I made a few breakpoint to traceback the issue and that's where I fount out the last error:
traceback neutron_lbaas/services/loadbalancer/ self._validate_tls(listener)
traceback neutron_lbaas/services/loadbalancer/ cert_parser.validate_cert(cert_container.get_certificate(),
traceback neutron_lbaas/common/cert_manager/ return self._cert_container.certificate.payload
traceback python2.7/site-packages/barbicanclient/ self._fetch_payload()
traceback python2.7/site-packages/barbicanclient/ if not self.payload_content_type and not self.content_types:
traceback python2.7/site-packages/barbicanclient/ self._fill_lazy_properties()
traceback python2.7/site-packages/barbicanclient/ result = self._api.get(self._secret_ref)
Processed request: 403 Forbidden - GET

I dumped the request and found the X-Auth-Token header is actually the token for admin tenant instead of demo tenant.
Also in /etc/barbican/policy.json, If I change "secret:get" to "rule:all_users", the issue will be solved.

I believe some work need to be done either on barbican client or the policy.json.