OpenStack Octavia Charm

Details: {'faultcode': 'Client', 'faultstring': 'Policy does not allow this request to be performed.', 'debuginfo': None}

Bug #1980370 reported by Felipe Reyes
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Octavia Charm
Triaged
High
Unassigned

Bug Description

When running tempest on a focal-yoga cloud with the following patches for the keystone and octavia charms:

https://review.opendev.org/c/openstack/charm-keystone/+/848145
https://review.opendev.org/c/openstack/charm-octavia/+/848297
https://review.opendev.org/c/openstack/charm-octavia/+/848298

Those patches address issues with the policy and ovn driver needed to get to the point where tempest tries to create a load balancer, this loadbalancer tries to be created using a user that has the load-balancer_member role which according to the documentation should be to perform write operations when it's also a member of said project.

load-balancer:write
    load-balancer_admin
    load-balancer_member and <project member>
    role:admin

Although the policy check fails, this is the log line:

[Thu Jun 30 02:06:03.018460 2022] [wsgi:error] [pid 155021:tid 140012009371392] [remote 127.0.0.1:57466] 2022-06-30 02:06:03.017 155021 DEBUG octavia.common.policy [req-b78268bf-7927-4f78-9403-56932caca248 - 474c2ed5049e40178e484aa0e102552e - f1d24e18654c45709a362de0c3b782c2 f1d24e18654c45709a362de0c3b782c2] Policy check for os_load-balancer_api:loadbalancer:post failed with credentials {'is_admin': False, 'user_id': None, 'user_domain_id': 'f1d24e18654c45709a362de0c3b782c2', 'system_scope': None, 'domain_id': None, 'project_id': '474c2ed5049e40178e484aa0e102552e', 'project_domain_id': 'f1d24e18654c45709a362de0c3b782c2', 'roles': ['load-balancer_member'], 'is_admin_project': False, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []} authorize /usr/lib/python3/dist-packages/octavia/common/policy.py:126\x1b[00m
[Thu Jun 30 02:06:03.019869 2022] [wsgi:error] [pid 155021:tid 140012009371392] [remote 127.0.0.1:57466] 2022-06-30 02:06:03.019 155021 DEBUG wsme.api [req-b78268bf-7927-4f78-9403-56932caca248 - 474c2ed5049e40178e484aa0e102552e - f1d24e18654c45709a362de0c3b782c2 f1d24e18654c45709a362de0c3b782c2] Client-side error: Policy does not allow this request to be performed. format_exception /usr/lib/python3/dist-packages/wsme/api.py:222\x1b[00m

Command to run this specific test:

tempest run --workspace zaza-bc1ca0e8242a --config /home/ubuntu/.tempest/zaza-bc1ca0e8242a/etc/tempest.conf --serial --regex octavia_tempest_plugin.tests.scenario.v2.test_traffic_ops.TrafficOperationsScenarioTest

setUpClass (octavia_tempest_plugin.tests.scenario.v2.test_traffic_ops.TrafficOperationsScenarioTest)
----------------------------------------------------------------------------------------------------

Captured traceback:
~~~~~~~~~~~~~~~~~~~
    Traceback (most recent call last):

      File "/home/ubuntu/git/charmed-openstack-tester/.tox/func-target/lib/python3.8/site-packages/tempest/test.py", line 168, in setUpClass
    raise value.with_traceback(trace)

      File "/home/ubuntu/git/charmed-openstack-tester/.tox/func-target/lib/python3.8/site-packages/tempest/test.py", line 161, in setUpClass
    cls.resource_setup()

      File "/home/ubuntu/git/charmed-openstack-tester/.tox/func-target/lib/python3.8/site-packages/octavia_tempest_plugin/tests/scenario/v2/test_traffic_ops.py", line 64, in resource_se
tup
    lb = cls.mem_lb_client.create_loadbalancer(**lb_kwargs)

      File "/home/ubuntu/git/charmed-openstack-tester/.tox/func-target/lib/python3.8/site-packages/octavia_tempest_plugin/common/decorators.py", line 42, in wrapper
    return f(*func_args, **func_kwargs)

      File "/home/ubuntu/git/charmed-openstack-tester/.tox/func-target/lib/python3.8/site-packages/octavia_tempest_plugin/services/load_balancer/v2/loadbalancer_client.py", line 95, in
create_loadbalancer
    return self._create_object(**kwargs)

      File "/home/ubuntu/git/charmed-openstack-tester/.tox/func-target/lib/python3.8/site-packages/octavia_tempest_plugin/services/load_balancer/v2/base_client.py", line 101, in _create
_object
    response, body = self.post(request_uri, jsonutils.dumps(obj_dict))

      File "/home/ubuntu/git/charmed-openstack-tester/.tox/func-target/lib/python3.8/site-packages/tempest/lib/common/rest_client.py", line 299, in post return self.request('POST', url, extra_headers, headers, body, chunked)

      File "/home/ubuntu/git/charmed-openstack-tester/.tox/func-target/lib/python3.8/site-packages/tempest/lib/common/rest_client.py", line 703, in request
    self._error_checker(resp, resp_body)
      File "/home/ubuntu/git/charmed-openstack-tester/.tox/func-target/lib/python3.8/site-packages/tempest/lib/common/rest_client.py", line 804, in _error_checker
    raise exceptions.Forbidden(resp_body, resp=resp)

    tempest.lib.exceptions.Forbidden: Forbidden
Details: {'faultcode': 'Client', 'faultstring': 'Policy does not allow this request to be performed.', 'debuginfo': None}

Revision history for this message
sharif uddin (shorif2000) wrote :

I am having same issue on ubuntu 22.04 lts. openstack yoga. fresh install

i have installed octavia and trying the command

openstack loadbalancer create --name lb1 --vip-subnet-id 49847c07-032d-48b4-a032-842ec5da593b --debug

I tried to create system token and use curl directly

openstack --os-username=admin --os-user-domain-name=default --os-system-scope all token issue

then curl with

curl -g -i -X POST http://192.168.122.124:9876/v2.0/lbaas/loadbalancers -H "Accept: application/json" -H "Content-Type: application/json" -H "User-Agent: openstacksdk/0.61.0 keystoneauth1/4.4.0 python-requests/2.25.1 CPython/3.10.6" -H "X-Auth-Token: gAAAAABjm11emuGcqFOuPd6SLoXnkDTh7ZRxpTH-b7TL3Ndh6ywwsf66WtNHams8ixxurUjPRV85ulbvHo20U6OZfUwC7WIN-Hs-rz8H6i7Fq_Q6eJn8X5fKJ9kORtKIKI6LS7Bi1ph2sEOlAJxl5mZ0PilxBUbhS8sq5v14WvvkW3h1ktOeqUI" -d '{"loadbalancer": {"name": "lb1", "vip_subnet_id": "49847c07-032d-48b4-a032-842ec5da593b", "admin_state_up": true}}'
HTTP/1.0 403 Forbidden
Date: Thu, 15 Dec 2022 18:04:41 GMT
Server: WSGIServer/0.2 CPython/3.10.6
Content-Length: 112
Content-Type: application/json
x-openstack-request-id: req-84618a33-172c-488e-a5e1-d51b501b0bce

{"faultcode": "Client", "faultstring": "Policy does not allow this request to be performed.", "debuginfo": null}

Alex Kavanagh (ajkavanagh)
Changed in charm-octavia:
status: New → Triaged
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.