Invalid (?) policy.json causing tempest test failure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Keystone Charm |
Fix Released
|
High
|
Unassigned |
Bug Description
This is probably not a bug but I do want to at least track this somewhere so that we can justify the failing tempest test on Rocky (and possibly previous releases). It seems that the current charm policy is just more strict than upstream's. But this could also be exposing that our policy is quite a bit diverged from upstream.
The following tempest test is successful on a stein deployment but not on rocky:
tox -e smoke -- --regex tempest.
If I update the keystone unit's "identity:
The failure: 'You are not authorized to perform the requested action: identity:
Log msg: Policy identity:get_domain failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
stable/rocky and stable/stein charm-keystone (policy.json)
-------
"identity:
stable/rocky upstream (policy.json)
-------
# Show domain details.
# GET /v3/domains/
# Intended scope(s): system
#"identity:
stable/stein upstream (policy.json)
-------
# Show domain details.
# GET /v3/domains/
# Intended scope(s): system, domain, project
#"identity:
# DEPRECATED "identity:
# token.project.
# since S in favor of "identity:
# system_scope:all) or token.domain.
# token.project.
#
# As of the Stein release, the domain API now understands how to
# handle system-scoped tokens in addition to project-scoped tokens,
# making the API more accessible to users without compromising
# security or manageability for administrators. The new default
# policies for this API account for these changes automatically
"identity:
Narrowing this down some more, the following also allows the test to pass. I believe in this case the rule is comparing the API project domain ID with the domain ID associated with the target:
"identity:
Whereas if I use the following (taken from the current charm-keystone policy.json for rocky) the test fails. I believe in this case the rule is comparing the API token project domain ID with the domain ID associated with the target:
"identity:
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in charm-keystone: | |
status: | New → Confirmed |
importance: | Undecided → Medium |
importance: | Medium → High |
Changed in charm-keystone: | |
milestone: | none → 21.10 |
Changed in charm-keystone: | |
status: | Fix Committed → Fix Released |
More details in attached text file.