Magnum

Periodic task uses global stack-list

Bug #1589955 reported by Johannes Grassler
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Magnum
Fix Released
Undecided
Johannes Grassler

Bug Description

Magnum's Periodic task sets the global_tenant flag when listing Heat stacks. This will fail since heat does not allow this action to be performed by anyone but the admin user by default:

  log_http_response /usr/lib/python2.7/site-packages/heatclient/common/http.py:142
  2016-06-07 10:42:56.116 18279 WARNING magnum.service.periodic [req-ea05d125-294f-4008-a45b-b11cfa5ad69d - - - - -] Ignore error [ERROR: You are not authorized to use global_index.] when syncing up bay status.
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic Traceback (most recent call last):
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic File "/usr/lib/python2.7/site-packages/magnum/service/periodic.py", line 99, in sync_bay_status
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic sid_to_stack_mapping = {s.id: s for s in stacks}
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic File "/usr/lib/python2.7/site-packages/magnum/service/periodic.py", line 99, in <dictcomp>
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic sid_to_stack_mapping = {s.id: s for s in stacks}
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic File "/usr/lib/python2.7/site-packages/heatclient/v1/stacks.py", line 101, in paginate
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic stacks = self._list(url, 'stacks')
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic File "/usr/lib/python2.7/site-packages/heatclient/openstack/common/apiclient/base.py", line 131, in _list
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic body = self.client.get(url).json()
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic File "/usr/lib/python2.7/site-packages/heatclient/common/http.py", line 284, in get
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic return self.client_request("GET", url, **kwargs)
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic File "/usr/lib/python2.7/site-packages/heatclient/common/http.py", line 277, in client_request
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic resp, body = self.json_request(method, url, **kwargs)
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic File "/usr/lib/python2.7/site-packages/heatclient/common/http.py", line 266, in json_request
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic resp = self._http_request(url, method, **kwargs)
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic File "/usr/lib/python2.7/site-packages/heatclient/common/http.py", line 221, in _http_request
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic raise exc.from_response(resp)
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic HTTPForbidden: ERROR: You are not authorized to use global_index.
  2016-06-07 10:42:56.116 18279 ERROR magnum.service.periodic

Magnum does not need to perform a global stack list since it's got all the information it needs in its database, namely each bay has a stack_id attribute and the function in question collects all of these IDs in bay_stack_ids, so a simple get operation on these will do just as well, without a need for special privileges.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/326428

Changed in magnum:
assignee: nobody → Johannes Grassler (jgr-launchpad)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to magnum (master)

Reviewed: https://review.openstack.org/326428
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=f895b2bd0922f29a9d6b08617cb60258fa101c68
Submitter: Jenkins
Branch: master

commit f895b2bd0922f29a9d6b08617cb60258fa101c68
Author: Johannes Grassler <email address hidden>
Date: Tue Jun 7 14:26:29 2016 +0200

    Fix global stack list in periodic task

    The periodic task unneccessarily lists Heat stacks in the
    global tenant (across all tenants) which the Magnum service
    user may lack permission for. Also, the most restrictive way
    to let it use global stack-list is chose a Keystone role and
    open that operation to any user in any project holding that
    role.

    This commit substitutes a direct lookup of all bays' stack_id
    attributes for this global stack list. This direct lookup will
    yield the same net result. In order to get the neccessary
    permissions it will use each bay's stored Keystone trust to
    act on behalf of the bay's creating user.

    Co-Authored-By: Jiri Suchomel <email address hidden>
    Closes-Bug: #1589955
    Change-Id: I67b176c137c463e37e037970cc4e468d51db30c9

Changed in magnum:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/magnum 3.0.0

This issue was fixed in the openstack/magnum 3.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.