Designate

Policy check failed for rule 'update_service_status'

Bug #1753503 reported by Pawel Dudczak on 2018-03-05

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Designate	Status tracked in Rocky
Queens	Fix Committed	Undecided	Graham Hayes	Designate 6.0.1
Rocky	Fix Released	Undecided	Graham Hayes	Designate 7.0.0.0b1 "r1"

Bug Description

HI, while I want to increase the zone limit for the project via designate api, I get an error

2018-03-02 11: 22: 43.564 70788 INFO designate.policy [req-788a5afc-9d2a-48b9-b3de-ebd3b5500195 - - - - -] Policy check failed for rule 'update_service_status' on target {}

The policy file policy.json does not have the correct policy but there is an incorrect entry "update_service_service_status": "rule: admin"
When I change it manually to: "update_service_status": "rule: admin"
everything works fine, I checked rpms for designate-ocata, designate-pike version and there is an error in them

Revision history for this message

Graham Hayes (grahamhayes) wrote on 2018-03-07:

After you change that policy, quota updates start working? That seems unrelated.

Can you confirm the exact API / CLI call?

Changed in designate:
status:	New → Incomplete

Revision history for this message

Pawel Dudczak (pdudczak) wrote on 2018-03-08:

one server with designate for each of my requests for quota, whether it's about used or for change - it responded with code 403, because:
he could not check the policy:

2018-03-02 11: 17: 59.289 70788 INFO designate.policy [req-2a18ea16-caed-4fc5-afdb-5ad1438b2aa8 - - - - -] Policy check failed for rule 'update_service_status' on target {}
2018-03-02 09: 53: 37.705 75185 INFO designate.policy [req-10783fb6-c3e8-4532-9dac-bfc668712d16 2ec06804415d4c3b86eb802f3566c950 2bfd80a1da4e4d178a1f8e3b75c9ad4c - - -] Policy check failed for rule 'set_quota' on target {'tenant_id': u ' 2bfd80a1da4e4d178a1f8e3b75c9ad4c ',' resource ': u'zones', 'hard_limit': 20}

when I added the line "update_service_status": "rule: admin" instead of "update_service_service_status": "rule: admin" everything started working correctly I wonder if it helped him restart or change in the policy.json file and which entry is correct.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-12: Fix proposed to designate (master)

Fix proposed to branch: master
Review: https://review.openstack.org/552143

Changed in designate:
assignee:	nobody → Graham Hayes (grahamhayes)
status:	Incomplete → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-12: Fix proposed to designate (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/552144

Revision history for this message

Pawel Dudczak (pdudczak) wrote on 2018-03-13:

many thanks

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-15: Fix merged to designate (master)

Reviewed: https://review.openstack.org/552143
Committed: https://git.openstack.org/cgit/openstack/designate/commit/?id=54be325783513aa472fd78f3c29ed5ffaae598c0
Submitter: Zuul
Branch: master

commit 54be325783513aa472fd78f3c29ed5ffaae598c0
Author: Graham Hayes <email address hidden>
Date: Mon Mar 12 21:21:16 2018 +0000

Fix policy name

    The `update_service_status` policy was missed
    named as `update_service_service_status` which seemed
    to cause issues for other rules.

Closes-Bug: #1753503

Change-Id: Ic2952c36c03a4cb7a148f1518766ddefb9144dcd

Changed in designate:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-03-26: Fix merged to designate (stable/queens)

Reviewed: https://review.openstack.org/552144
Committed: https://git.openstack.org/cgit/openstack/designate/commit/?id=cbb6119155ada3e8fb96f42e140f62d030bac548
Submitter: Zuul
Branch: stable/queens

commit cbb6119155ada3e8fb96f42e140f62d030bac548
Author: Graham Hayes <email address hidden>
Date: Mon Mar 12 21:21:16 2018 +0000

Fix policy name

    The `update_service_status` policy was missed
    named as `update_service_service_status` which seemed
    to cause issues for other rules.

Closes-Bug: #1753503

Change-Id: Ic2952c36c03a4cb7a148f1518766ddefb9144dcd
(cherry picked from commit 54be325783513aa472fd78f3c29ed5ffaae598c0)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-09: Fix included in openstack/designate 6.0.1

This issue was fixed in the openstack/designate 6.0.1 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-04-19: Fix included in openstack/designate 7.0.0.0b1

This issue was fixed in the openstack/designate 7.0.0.0b1 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.