OpenStack Dashboard Charm

Policy Overrides Do Not Update Automatically

Bug #2037467 reported by Jake Nabasny

This bug report was marked for expiration 0 days ago. (find out why)

8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard Charm
Incomplete
Undecided
Unassigned

Bug Description

== ENVIRONMENT ==
OS: Ubuntu Focal and Jammy
Openstack: Ussuri and Yoga
Charm revision: 585 and 597

== ISSUE ==
The first time adding a policy override file and enabling policy overrides, they get applied as expected. But if you upload another policy override zip file, you need to make a charm configuration change, like disabling and re-enabling policy overrides, in order for the new policies to be loaded.

== EXPECTED OUTCOME ==
New policy overrides are applied at the time when the override file is attached to the charm.

== STEPS TO REPRODUCE ==
On a fresh deployment:

1. mkdir compute && echo '"os_compute_api:os-extended-server-attributes": "rule:admin_or_owner"' > compute/attribute-override.yaml
2. zip -r nova-override.zip compute
3. juju attach-resource openstack-dashboard policyd-override=nova-override.zip
4. juju config openstack-dashboard use-policyd-override=true

# Policies applied as expected, then adding another policy:

5. mkdir identity && echo '"admin_required": "role:Admin or role:cloudadmin"' > identity/admin-override.yaml
6. zip -r nova-keystone-overrides.zip identity compute
7. juju attach-resource openstack-dashboard policyd-override=nova-keystone-overrides.zip

# Charm goes into maintenance mode and regenerates endpoint configs, but the change does not take effect.

8. juju config openstack-dashboard use-policyd-override=false
9. juju config openstack-dashboard use-policyd-override=true

# Now the newly added policy gets applied.

== OTHER NOTES ==
After step 7, there is no directory for /etc/openstack-dashboard/policy.d/keystone_policy.d/. It does not get generated until the workaround is applied with steps 8 and 9.

See original description
Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

I'm a little confused about the report, specifically:

> 2. zip -r nova-override.zip compute
> 3. juju attach-resource keystone policyd-override=nova-override.zip
> 4. juju config openstack-dashboard use-policyd-override=true

This looks like the policy override is being applied to the keystone application, but the config option to activate it is on the openstack-dashboard? Unless this is a typo, then that's not going to do anything to either charm.

Also.

> 7. juju attach-resource keystone policyd-override=keystone-override.zip

Is this a typo? It's just the policy override is being applied to keystone here, so the openstack-dashboard charm wouldn't be involved?

Please could you clarify?

Thanks.

Changed in charm-openstack-dashboard:
status: New → Incomplete
Revision history for this message
Marcin Wilk (wilkmarcin) wrote :

Hi Alex,
Regarding:
> 7. juju attach-resource keystone policyd-override=keystone-override.zip

I think it should read to:
juju attach-resource openstack-dashboard policyd-override=keystone-override.zip

I am able to recreate the problem on my Focal/Ussuri deployment. openstack-dashboard charm ussuri/stable rev. 585.

I have used the charm's documentation (especially the policy override process) [1]
https://opendev.org/openstack/charm-openstack-dashboard#policy-overrides

Kind regards,
Marcin

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

Okay, revisiting this. Based on the instructions, edited to only use the dashboard charm, I think this is what you are saying:

== STEPS TO REPRODUCE ==
On a fresh deployment, on the openstack-dashboard charm ONLY.

1. mkdir compute && echo '"os_compute_api:os-extended-server-attributes": "rule:admin_or_owner"' > compute/attribute-override.yaml
2. zip -r nova-override.zip compute
3. juju attach-resource openstack-dashboard policyd-override=nova-override.zip
4. juju config openstack-dashboard use-policyd-override=true

# Policies applied as expected, then adding another policy:

5. mkdir identity && echo '"admin_required": "role:Admin or role:cloudadmin"' > identity/admin-override.yaml
6. zip -r keystone-override.zip identity
7. juju attach-resource openstack-dashboard policyd-override=keystone-override.zip

i.e. at the end the local directories are:

/compute/
   attribute-override.yaml
 identity/
    admin-override.yaml

and the two zip files contain a *single* .yaml each:

- nova-override.zip (which contains compute/*) == compute/attribute-override.yaml
- keystone-override.zip (which contains identity/*) == identity/keystone-override.yaml

If this *is* the case, then keystone-override.zip when added as a resource is removing the compute/attribute-override.yaml. This may be intentional on your part, but I just wanted to clarify the operation.

Also, please could you edit the bug to clarify the operations on the charm so that it does reflect your usage. Thanks.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack Dashboard Charm because there has been no activity for 60 days.]

Changed in charm-openstack-dashboard:
status: Incomplete → Expired
Revision history for this message
Jake Nabasny (slapcat) wrote :

Hey folks, this bug still exists and has impacted several of our customers. Please do not let it expire.

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

Jake, please see my comment #3; it's not clear what you did, hence I set it to incomplete and then it expired after 60 days. Thanks.

Jake Nabasny (slapcat)
description: updated
Revision history for this message
Jake Nabasny (slapcat) wrote :

Hi Alex,

Sorry for the delay, I just saw your reply. I have corrected the original bug report description as requested. Your description of the behavior in comment #3 is correct, but the problem is not that the new keystone-override.zip replaces the original nova-override.zip. I believe that behavior is by design since the policyd-override resource can only contain one file.

The issue this bug report was opened for is that subsequent updates to the policyd-override resource are not automatically updated by the charm. So after step 7, I would expect to find a /etc/openstack-dashboard/policy.d/keystone_policy.d directory in the openstack-dashboard unit, but it does not appear until completing the workaround in steps 8 or 9. It does not seem intentional the override boolean should be switched off and on to make the update take effect.

Cheers,
Jake

Changed in charm-openstack-dashboard:
status: Expired → New
description: updated
Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

Hi Jake

Thanks for resolving my confusion around the steps that you did; I think I now have a clearer picture of what is going on. Please could you add one more thing to the bug: An output of the juju debug log for the keystone unit(s); in particular I'm looking for two log entries after the 2nd resource is attached that would read:

... INFO Running maybe_do_policyd_overrides
... INFO ... already setup, so skipping.

Thanks.

Changed in charm-openstack-dashboard:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack Dashboard Charm because there has been no activity for 60 days.]

Changed in charm-openstack-dashboard:
status: Incomplete → Expired
Alex Kavanagh (ajkavanagh)
Changed in charm-openstack-dashboard:
status: Expired → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.