This can be seen here in Patchset 3 for bionic-train-gr: https://review.opendev.org/c/openstack/charm-openstack-dashboard/+/811942
2021-11-19 19:39:53 [INFO] test_003_test_override_is_observed (zaza.openstack.charm_tests.openstack_dashboard.tests.OpenStackDashboardPolicydTests) 2021-11-19 19:39:53 [INFO] Test that the override is observed by the underlying service. 2021-11-19 19:39:53 [INFO] ... 2021-11-19 19:40:01 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:40:03 [INFO] Doing policyd override for openstack-dashboard 2021-11-19 19:40:06 [INFO] First verify that operation works prior to override 2021-11-19 19:40:06 [INFO] Dashboard is at 10.5.3.62 2021-11-19 19:40:08 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:40:09 [INFO] Using keystone API V3 (or later) for overcloud auth 2021-11-19 19:40:11 [INFO] admin password is iePaizie3Phee5Bi 2021-11-19 19:40:11 [INFO] Horizon URL is: https://10.5.55.1/horizon 2021-11-19 19:40:31 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:40:32 [INFO] Using keystone API V3 (or later) for overcloud auth 2021-11-19 19:40:34 [INFO] {'identity': [{'region_id': 'RegionOne', 'url': 'https://10.5.0.210:5000/v3', 'region': 'RegionOne', 'interface': 'public', 'id': '5d514259e1424ff39d3c48a32dc33073'}, {'region_id': 'RegionOne', 'url': 'https://10.5.0.210:35357/v3', 'region': 'Re gionOne', 'interface': 'admin', 'id': '7594578b3104470db895fc3d2750d8be'}, {'region_id': 'RegionOne', 'url': 'https://10.5.0.210:5000/v3', 'region': 'RegionOne', 'interface': 'internal', 'id': 'b4b4e442ed5f45d58bf7c96066109a37'}]} 2021-11-19 19:40:43 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:40:56 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:40:57 [INFO] POST data: "{'domain': 'admin_domain', 'username': 'admin', 'password': 'iePaizie3Phee5Bi', 'csrfmiddlewaretoken': '4I4w0goM3TkukyySozSvKWnaUb0YhCHYF9CusqfSazUM0FVKeHx7H3iWdWXOXctJ', 'next': '/horizon/identity/', 'region': 'https://10.5.0.210:50 00/v3'}" 2021-11-19 19:41:12 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:41:13 [INFO] Logged into okay 2021-11-19 19:41:13 [INFO] URL is http://10.5.3.62/horizon/identity/domains 2021-11-19 19:41:18 [INFO] Doing policyd override with: {'identity/rule.yaml': "identity:get_domain: '!'\nidentity:list_domains: '!'\nidentity:list_domains_for_user: '!'\nidentity:update_domain: '!'\n"} 2021-11-19 19:41:19 [INFO] Setting config to {'use-policyd-override': 'True'} 2021-11-19 19:41:19 [INFO] Waiting for at least one unit with agent status "executing" 2021-11-19 19:42:07 [INFO] Now verify that operation doesn't work with override 2021-11-19 19:42:07 [INFO] Dashboard is at 10.5.3.62 2021-11-19 19:42:09 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:42:10 [INFO] Using keystone API V3 (or later) for overcloud auth 2021-11-19 19:42:12 [INFO] admin password is iePaizie3Phee5Bi 2021-11-19 19:42:12 [INFO] Horizon URL is: https://10.5.55.1/horizon 2021-11-19 19:42:32 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:42:34 [INFO] Using keystone API V3 (or later) for overcloud auth 2021-11-19 19:42:36 [INFO] {'identity': [{'region_id': 'RegionOne', 'url': 'https://10.5.0.210:5000/v3', 'region': 'RegionOne', 'interface': 'public', 'id': '5d514259e1424ff39d3c48a32dc33073'}, {'region_id': 'RegionOne', 'url': 'https://10.5.0.210:35357/v3', 'region': 'Re gionOne', 'interface': 'admin', 'id': '7594578b3104470db895fc3d2750d8be'}, {'region_id': 'RegionOne', 'url': 'https://10.5.0.210:5000/v3', 'region': 'RegionOne', 'interface': 'internal', 'id': 'b4b4e442ed5f45d58bf7c96066109a37'}]} 2021-11-19 19:42:45 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:42:57 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:42:59 [INFO] POST data: "{'domain': 'admin_domain', 'username': 'admin', 'password': 'iePaizie3Phee5Bi', 'csrfmiddlewaretoken': 'zwAop90haEzd69EipwNjpVne63h0w9QRHdrxXOwa9ENiAtXctOlXAo565ge2n4IU', 'next': '/horizon/identity/', 'region': 'https://10.5.0.210:50 00/v3'}" 2021-11-19 19:43:13 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-origin'}} 2021-11-19 19:43:14 [INFO] Logged into okay 2021-11-19 19:43:14 [INFO] URL is http://10.5.3.62/horizon/identity/domains 2021-11-19 19:43:21 [INFO] Service action passed and should have failed. 2021-11-19 19:43:21 [INFO] ERROR 2021-11-19 19:43:21 [INFO] ====================================================================== 2021-11-19 19:43:21 [INFO] ERROR: test_003_test_override_is_observed (zaza.openstack.charm_tests.openstack_dashboard.tests.OpenStackDashboardPolicydTests) 2021-11-19 19:43:21 [INFO] Test that the override is observed by the underlying service. 2021-11-19 19:43:21 [INFO] ---------------------------------------------------------------------- 2021-11-19 19:43:21 [INFO] Traceback (most recent call last): 2021-11-19 19:43:21 [INFO] File "/home/ubuntu/charms/focal/openstack-dashboard/.tox/func-target/lib/python3.8/site-packages/zaza/openstack/charm_tests/policyd/tests.py", line 448, in test_003_test_override_is_observed 2021-11-19 19:43:21 [INFO] raise zaza_exceptions.PolicydError( 2021-11-19 19:43:21 [INFO] zaza.openstack.utilities.exceptions.PolicydError: Service action passed and should have failed. 2021-11-19 19:43:21 [INFO] ---------------------------------------------------------------------- 2021-11-19 19:43:21 [INFO] Ran 3 tests in 372.219s 2021-11-19 19:43:21 [INFO] FAILED 2021-11-19 19:43:21 [INFO] (errors=1)
I don't know if the rule.yaml is being rendered correctly as seen below:
ubuntu@coreycb-bastion:~/charms/focal/openstack-dashboard$ juju run --application openstack-dashboard cat /etc/openstack-dashboard/policy.d/keystone_policy.d/rule.yaml - Stdout: | {'identity:get_domain': '!', 'identity:list_domains': '!', 'identity:list_domains_for_usern': '!', 'identity:update_domain': '!'} UnitId: openstack-dashboard/0 - Stdout: | {'identity:get_domain': '!', 'identity:list_domains': '!', 'identity:list_domains_for_user': '!', 'identity:update_domain': '!'} UnitId: openstack-dashboard/1 - Stdout: | {'identity:get_domain': '!', 'identity:list_domains': '!', 'identity:list_domains_for_user': '!', 'identity:update_domain': '!'} UnitId: openstack-dashboard/2
ubuntu@juju-be7b83-zaza-b74897d248b9-3:~$ sudo cat /etc/openstack-dashboard/policy.d/keystone_policy.d/rule.yaml {'identity:get_domain': '!', 'identity:list_domains': '!', 'identity:list_domains_for_user': '!', 'identity:update_domain': '!'}
Should this instead be formatted like this?
ubuntu@juju-be7b83-zaza-b74897d248b9-3:~$ sudo cat /etc/openstack-dashboard/policy.d/keystone_policy.d/rule.yaml 'identity:get_domain': '!' 'identity:list_domains': '!' 'identity:list_domains_for_user': '!' 'identity:update_domain': '!'
This can be seen here in Patchset 3 for bionic-train-gr: /review. opendev. org/c/openstack /charm- openstack- dashboard/ +/811942
https:/
2021-11-19 19:39:53 [INFO] test_003_ test_override_ is_observed (zaza.openstack .charm_ tests.openstack _dashboard. tests.OpenStack DashboardPolicy dTests) origin' }} origin' }} /10.5.55. 1/horizon origin' }} /10.5.0. 210:5000/ v3', 'region': 'RegionOne', 'interface': 'public', 'id': '5d514259e1424f f39d3c48a32dc33 073'}, {'region_id': 'RegionOne', 'url': 'https:/ /10.5.0. 210:35357/ v3', 'region': 'Re 0db895fc3d2750d 8be'}, {'region_id': 'RegionOne', 'url': 'https:/ /10.5.0. 210:5000/ v3', 'region': 'RegionOne', 'interface': 'internal', 'id': 'b4b4e442ed5f45 d58bf7c96066109 a37'}]} origin' }} origin' }} token': '4I4w0goM3Tkuky ySozSvKWnaUb0Yh CHYF9CusqfSazUM 0FVKeHx7H3iWdWX OXctJ', 'next': '/horizon/ identity/ ', 'region': 'https:/ /10.5.0. 210:50 origin' }} 10.5.3. 62/horizon/ identity/ domains rule.yaml' : "identity: get_domain: '!'\nidentity: list_domains: '!'\nidentity: list_domains_ for_user: '!'\nidentity: update_ domain: '!'\n"} override' : 'True'} origin' }} /10.5.55. 1/horizon origin' }} /10.5.0. 210:5000/ v3', 'region': 'RegionOne', 'interface': 'public', 'id': '5d514259e1424f f39d3c48a32dc33 073'}, {'region_id': 'RegionOne', 'url': 'https:/ /10.5.0. 210:35357/ v3', 'region': 'Re 0db895fc3d2750d 8be'}, {'region_id': 'RegionOne', 'url': 'https:/ /10.5.0. 210:5000/ v3', 'region': 'RegionOne', 'interface': 'internal', 'id': 'b4b4e442ed5f45 d58bf7c96066109 a37'}]} origin' }} origin' }} token': 'zwAop90haEzd69 EipwNjpVne63h0w 9QRHdrxXOwa9ENi AtXctOlXAo565ge 2n4IU', 'next': '/horizon/ identity/ ', 'region': 'https:/ /10.5.0. 210:50 origin' }} 10.5.3. 62/horizon/ identity/ domains ======= ======= ======= ======= ======= ======= ======= ======= ======= test_override_ is_observed (zaza.openstack .charm_ tests.openstack _dashboard. tests.OpenStack DashboardPolicy dTests) ------- ------- ------- ------- ------- ------- ------- ------- ------- ubuntu/ charms/ focal/openstack -dashboard/ .tox/func- target/ lib/python3. 8/site- packages/ zaza/openstack/ charm_tests/ policyd/ tests.py" , line 448, in test_003_ test_override_ is_observed .PolicydError( utilities. exceptions. PolicydError: Service action passed and should have failed. ------- ------- ------- ------- ------- ------- ------- ------- -------
2021-11-19 19:39:53 [INFO] Test that the override is observed by the underlying service.
2021-11-19 19:39:53 [INFO] ...
2021-11-19 19:40:01 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:40:03 [INFO] Doing policyd override for openstack-dashboard
2021-11-19 19:40:06 [INFO] First verify that operation works prior to override
2021-11-19 19:40:06 [INFO] Dashboard is at 10.5.3.62
2021-11-19 19:40:08 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:40:09 [INFO] Using keystone API V3 (or later) for overcloud auth
2021-11-19 19:40:11 [INFO] admin password is iePaizie3Phee5Bi
2021-11-19 19:40:11 [INFO] Horizon URL is: https:/
2021-11-19 19:40:31 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:40:32 [INFO] Using keystone API V3 (or later) for overcloud auth
2021-11-19 19:40:34 [INFO] {'identity': [{'region_id': 'RegionOne', 'url': 'https:/
gionOne', 'interface': 'admin', 'id': '7594578b310447
2021-11-19 19:40:43 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:40:56 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:40:57 [INFO] POST data: "{'domain': 'admin_domain', 'username': 'admin', 'password': 'iePaizie3Phee5Bi', 'csrfmiddleware
00/v3'}"
2021-11-19 19:41:12 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:41:13 [INFO] Logged into okay
2021-11-19 19:41:13 [INFO] URL is http://
2021-11-19 19:41:18 [INFO] Doing policyd override with: {'identity/
2021-11-19 19:41:19 [INFO] Setting config to {'use-policyd-
2021-11-19 19:41:19 [INFO] Waiting for at least one unit with agent status "executing"
2021-11-19 19:42:07 [INFO] Now verify that operation doesn't work with override
2021-11-19 19:42:07 [INFO] Dashboard is at 10.5.3.62
2021-11-19 19:42:09 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:42:10 [INFO] Using keystone API V3 (or later) for overcloud auth
2021-11-19 19:42:12 [INFO] admin password is iePaizie3Phee5Bi
2021-11-19 19:42:12 [INFO] Horizon URL is: https:/
2021-11-19 19:42:32 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:42:34 [INFO] Using keystone API V3 (or later) for overcloud auth
2021-11-19 19:42:36 [INFO] {'identity': [{'region_id': 'RegionOne', 'url': 'https:/
gionOne', 'interface': 'admin', 'id': '7594578b310447
2021-11-19 19:42:45 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:42:57 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:42:59 [INFO] POST data: "{'domain': 'admin_domain', 'username': 'admin', 'password': 'iePaizie3Phee5Bi', 'csrfmiddleware
00/v3'}"
2021-11-19 19:43:13 [INFO] looking at application: {'name': 'keystone', 'type': {'pkg': 'keystone', 'origin_setting': 'openstack-
2021-11-19 19:43:14 [INFO] Logged into okay
2021-11-19 19:43:14 [INFO] URL is http://
2021-11-19 19:43:21 [INFO] Service action passed and should have failed.
2021-11-19 19:43:21 [INFO] ERROR
2021-11-19 19:43:21 [INFO] =======
2021-11-19 19:43:21 [INFO] ERROR: test_003_
2021-11-19 19:43:21 [INFO] Test that the override is observed by the underlying service.
2021-11-19 19:43:21 [INFO] -------
2021-11-19 19:43:21 [INFO] Traceback (most recent call last):
2021-11-19 19:43:21 [INFO] File "/home/
2021-11-19 19:43:21 [INFO] raise zaza_exceptions
2021-11-19 19:43:21 [INFO] zaza.openstack.
2021-11-19 19:43:21 [INFO] -------
2021-11-19 19:43:21 [INFO] Ran 3 tests in 372.219s 2021-11-19 19:43:21 [INFO] FAILED
2021-11-19 19:43:21 [INFO] (errors=1)
I don't know if the rule.yaml is being rendered correctly as seen below:
ubuntu@ coreycb- bastion: ~/charms/ focal/openstack -dashboard$ juju run --application openstack-dashboard cat /etc/openstack- dashboard/ policy. d/keystone_ policy. d/rule. yaml get_domain' : '!', 'identity: list_domains' : '!', 'identity: list_domains_ for_usern' : '!', identity: update_ domain' : '!'} dashboard/ 0 get_domain' : '!', 'identity: list_domains' : '!', 'identity: list_domains_ for_user' : '!', identity: update_ domain' : '!'} dashboard/ 1 get_domain' : '!', 'identity: list_domains' : '!', 'identity: list_domains_ for_user' : '!', identity: update_ domain' : '!'} dashboard/ 2
- Stdout: |
{'identity:
'
UnitId: openstack-
- Stdout: |
{'identity:
'
UnitId: openstack-
- Stdout: |
{'identity:
'
UnitId: openstack-
ubuntu@ juju-be7b83- zaza-b74897d248 b9-3:~$ sudo cat /etc/openstack- dashboard/ policy. d/keystone_ policy. d/rule. yaml get_domain' : '!', 'identity: list_domains' : '!', 'identity: list_domains_ for_user' : '!', update_ domain' : '!'}
{'identity:
'identity:
Should this instead be formatted like this?
ubuntu@ juju-be7b83- zaza-b74897d248 b9-3:~$ sudo cat /etc/openstack- dashboard/ policy. d/keystone_ policy. d/rule. yaml get_domain' : '!' list_domains' : '!' list_domains_ for_user' : '!' update_ domain' : '!'
'identity:
'identity:
'identity:
'identity: