kolla-ansible

Missing configuration for application access rules

Bug #1965111 reported by Will Szumski on 2022-03-16

This bug affects 1 person

	Status	Importance	Assigned to
kolla-ansible	Fix Released	Medium	Will Szumski
Wallaby	Fix Released	Medium	Maksim Malchuk
Xena	Fix Released	Medium	Maksim Malchuk
Yoga	Fix Released	Medium	Maksim Malchuk

Bug Description

Release: Wallaby, but I think this affects master.

Steps to reproduce:

- Create an application cred with the following rules

  [
    {
        "path": "/v2.1/**",
        "method": "GET",
        "service": "compute"
    },
    {
        "path": "/**",
        "method": "GET",
        "service": "network"
    }
  ]

- Try and use the application credential to do an openstack server list
- Observe that the request is refused with status 401

Looking in the logs, I saw:

Cannot validate request with restricted access rules. Set service_type in [keystone_authtoken] to allow access rule validation.

I believe we need to add the equivalent of:

[keystone_authtoken]
service_type = compute

to every service, where this particular example is for nova.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-03-16: Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/834035

Changed in kolla-ansible:
status:	New → In Progress

Mark Goddard (mgoddard) on 2022-03-21

Changed in kolla-ansible:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-06-13: Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/834035
Committed: https://opendev.org/openstack/kolla-ansible/commit/49006e56d99199b696bd762eb3167dbba42237e1
Submitter: "Zuul (22348)"
Branch: master

commit 49006e56d99199b696bd762eb3167dbba42237e1
Author: Will Szumski <email address hidden>
Date: Wed Mar 16 15:12:30 2022 +0000

Add keystone_authtoken.service_type

Fixes an issue where access rules failed to validate:

Cannot validate request with restricted access rules. Set
service_type in [keystone_authtoken] to allow access rule validation

I've used the values from the endpoint. This was mostly a straight
forward copy and paste, except:

    - versioned endpoints e.g cinderv3 where I stripped the version
    - monasca has multiple endpoints associated with a single service. For
      this, I concatenated logging and monitoring to be logging-monitoring.

Closes-Bug: #1965111
Change-Id: Ic4b3ab60abad8c3dd96cd4923a67f2a8f9d195d7

Changed in kolla-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-12-09: Fix included in openstack/kolla-ansible 15.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 15.0.0.0rc1 release candidate.

Revision history for this message

Maksim Malchuk (mmalchuk) wrote on 2023-06-14:

should this backported till wallaby?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-06-19: Fix proposed to kolla-ansible (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/886359

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-06-19: Fix proposed to kolla-ansible (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/886360

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-06-19: Fix proposed to kolla-ansible (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/886361

Maksim Malchuk (mmalchuk) on 2023-06-19

Changed in kolla-ansible:
assignee:	nobody → Will Szumski (willjs)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-07-13: Fix included in openstack/kolla-ansible 14.9.0

This issue was fixed in the openstack/kolla-ansible 14.9.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-31: Fix included in openstack/kolla-ansible wallaby-eol

This issue was fixed in the openstack/kolla-ansible wallaby-eol release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-09-28: Fix included in openstack/kolla-ansible xena-eol

#10

This issue was fixed in the openstack/kolla-ansible xena-eol release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.