Bug #2049807 “roles接口请求报错403后，其他页面401无法访问” : Bugs : skyline apiserver

Revision history for this message

liqi (li-qi-cool) wrote on 2024-01-19:

#1

22.png Edit (411.7 KiB, image/png)

Wu Wenxiang (wu-wenxiang) on 2024-01-23

Changed in skyline-apiserver:
status:	New → Fix Released

Revision history for this message

Wu Wenxiang (wu-wenxiang) wrote on 2024-01-23 (last edit on 2024-01-23):

#2

This issue also confuse me.

Symptom:
-----------------------------------
1. Login Horizon with common user A, list servers OK.
2. Login Skyline with same common user A, could list the nova servers, F12 show no http requests sent from network, however webpage show 401, do not allow to list servers

Root Cause Analysis:
-----------------------------------
1. Horizon don't know whether a user could do an action at a resource or not. It simply pass request to recording service, & service (Nova) do the check by its policy file. So it works.
2. Skyline check the action by itself, with /policy API. If you do not configure it, the default value follows community, like: https://docs.openstack.org/nova/2023.2/configuration/sample-policy.html

How to fix:
-----------------------------------
1. By default, list servers need "project_reader_api": "role:reader and project_id:%(project_id)s"
2. You should config your customized role, for example: member, _member_, projectAdmin, etc, create implied reader role. "openstack implied role create --implied-role member projectAdmin", or "openstack implied role create --implied-role reader _member_"

This issue also confuse me.

Symptom:
-----------------------------------
1. Login Horizon with common user A, list servers OK.
2. Login Skyline with same common user A, could list the nova servers, F12 show no http requests sent from network, however webpage show 401, do not allow to list servers

Root Cause Analysis:
-----------------------------------
1. Horizon don't know whether a user could do an action at a resource or not. It simply pass request to recording service, & service (Nova) do the check by its policy file. So it works.
2. Skyline check the action by itself, with /policy API. If you do not configure it, the default value follows community, like: https://docs.openstack.org/nova/2023.2/configuration/sample-policy.html

How to fix:
-----------------------------------
1. By default, list servers need "project_reader_api": "role:reader and project_id:%(project_id)s"
2. You should config your customized role, for example: member, _member_, projectAdmin, etc, create implied reader role. "openstack implied role create --implied-role member projectAdmin", or "openstack implied role create --implied-role reader _member_"

Changed in skyline-apiserver:
assignee:	nobody → Wu Wenxiang (wu-wenxiang)

Revision history for this message

Wu Wenxiang (wu-wenxiang) wrote on 2024-01-23:

#3

By the way, 403 has no relationship this issue.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-01-23: Fix proposed to skyline-apiserver (master)

#4

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/skyline-apiserver/+/906345

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-01-24: Fix merged to skyline-apiserver (master)

#5

Reviewed: https://review.opendev.org/c/openstack/skyline-apiserver/+/906345
Committed: https://opendev.org/openstack/skyline-apiserver/commit/b1a693d0a3a9ff1c44f0e1e56279fd238c0ea047
Submitter: "Zuul (22348)"
Branch: master

commit b1a693d0a3a9ff1c44f0e1e56279fd238c0ea047
Author: Wenxiang Wu <wu.wenxiang@99cloud.net>
Date: Tue Jan 23 14:13:45 2024 +0800

docs: add FAQ in README.rst

Closes-Bug: #2049807
Change-Id: I9beb1c1e7ba2d8c0378d4eabe8dbd05ffeb06c69

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-03-15: Fix included in openstack/skyline-apiserver 4.0.0.0rc1

#6

This issue was fixed in the openstack/skyline-apiserver 4.0.0.0rc1 release candidate.

skyline apiserver

roles接口请求报错403后，其他页面401无法访问

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches