denied resource manila for type-create command

See my bundle used

Hello, Mickaël!
What kind of permissions do you have on your cloud?
I´m asking that because creating share types is an administrator action. You should receive this error (403) only if you are not an admin.
If that is the case, I would say Manila is behaving properly.

Hi Carlos,

Yes, i am logged with openstack admin user to create share types. I tried source admin openrc file and attempt to create share types but the command crash, receiving 403 error.

Hi,

To give more informations, here are my environment variables used when i try to create type share:

OS_REGION_NAME=RegionOne
OS_PROJECT_DOMAIN_ID=2c0bd72a087d40c5af6d22e89a823198
OS_INTERFACE=public
OS_CACERT=/home/jarbis/root-ca-vault.crt
OS_AUTH_URL=https://keystone.gd1.cloud:5000/v3
OS_USERNAME=admin
OS_PROJECT_ID=0763edaf84ab44d8a8c36f6cee097e73
OS_USER_DOMAIN_NAME=admin_domain
OS_PROJECT_NAME=admin
OS_PASSWORD=xxxxxxxxxxxxxxxxxxxxx
OS_IDENTITY_API_VERSION=3

I tried to unset some variables like OS_PROJECT_NAME or OS_PROJECT_ID because same problem :

[Tue Mar 15 16:04:26.122819 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] 2022-03-15 16:04:26.122 41781 DEBUG manila.api.openstack.wsgi [req-4a1c8025-5acf-4201-94ea-f84afeb78c5d e477a15dd8684c3fba27f5da6ec0ec82 0763edaf84ab44d8a8c36f6cee097e73 - 2c0bd72a087d40c5af6d22e89a823198 2c0bd72a087d40c5af6d22e89a823198] Action: 'create', calling method: Controller.__getattribute__.<locals>.version_select, body: {"share_type": {"name": "cephfsnfstype", "share_type_access:is_public": true, "extra_specs": {"driver_handles_share_servers": false}}} _process_stack /usr/lib/python3/dist-packages/manila/api/openstack/wsgi.py:797\x1b[00m
[Tue Mar 15 16:04:26.123194 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] /usr/lib/python3/dist-packages/oslo_policy/policy.py:1054: UserWarning: Policy share_type:create failed scope check. The token used to make the request was project scoped but the policy requires ['system'] scope. This behavior may change in the future where using the intended scope is required
[Tue Mar 15 16:04:26.123203 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] warnings.warn(msg)
[Tue Mar 15 16:04:26.123678 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] 2022-03-15 16:04:26.123 41781 DEBUG manila.policy [req-4a1c8025-5acf-4201-94ea-f84afeb78c5d e477a15dd8684c3fba27f5da6ec0ec82 0763edaf84ab44d8a8c36f6cee097e73 - 2c0bd72a087d40c5af6d22e89a823198 2c0bd72a087d40c5af6d22e89a823198] Policy check for share_type:create failed with credentials {'is_admin': True, 'user_id': 'e477a15dd8684c3fba27f5da6ec0ec82', 'user_domain_id': '2c0bd72a087d40c5af6d22e89a823198', 'system_scope': None, 'domain_id': None, 'project_id': '0763edaf84ab44d8a8c36f6cee097e73', 'project_domain_id': '2c0bd72a087d40c5af6d22e89a823198', 'roles': ['Admin', 'member', 'reader'], 'is_admin_project': True, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []} authorize /usr/lib/python3/dist-packages/manila/policy.py:208\x1b[00m
[Tue Mar 15 16:04:26.123962 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] 2022-03-15 16:04:26.123 41781 INFO manila.api.openstack.wsgi [req-4a1c8025-5acf-4201-94ea-f84afeb78c5d e477a15dd8684c3fba27f5da6ec0ec82 0763edaf84ab44d8a8c36f6cee097e73 - 2c0bd72a087d40c5af6d22e89a823198 2c0bd72a087d40c5af6d22e89a823198] HTTP exception thrown: Access was denied to this resource.\x1b[00m
[Tue Mar 15 16:04:26.124115 2022] [wsgi:error] [pid 41781:tid 139835562100480] [remote 127.0.0.1:56824] 202...

I see...
What version of Manila are you using?
Are you aware of any roles that could be overwritten in your cloud deployment?

Additional information is at https://meetings.opendev.org/meetings/manila/2022/manila.2022-03-17-15.00.log.html

Hi Carlos,

The version of manila is 12.0.0.

I use canonical deployment method with Juju software. Juju uses manila charm for deployment.
I do not know if Juju overwrites roles or any configuration during deployment.

How can i be sure about that ?

Best regards,

Hi Mickael,

A couple of questions.

1) Is this problem only with the "type-create" command? What do you see when you use the same credentials and say "manila pool-list" or "manila service-list"

2) Do you have oslo.policy/RBAC related configuration options set in your manila.conf file?

[oslo.policy]
enforce_scope=<True/False>
enforce_new_defaults=<True/False>

Thanks,
Goutham

Also, following up on your question to Carlos:

Any custom RBAC policy files for manila are placed in the same folder as manila.conf; by default, most deployment tools use "/etc/manila" as the location for these files. If there's a custom RBAC policy, we'd like to see that file in case that's causing these auth failures.

Hi Goutham,

I have this problem when i tried to execute "type-create" command and also "manila pool-list" or "manila service-list".

But when i tried to execute "manila list" command, i do not have this error.

In my manila.conf file, i do not have oslo.policy/RBAC but in /etc/manila folder i have one file named "policy.json".
On this file, i can read :

"system-admin": "role:admin and system_scope:all"
"share_type:create": "rule:system-admin"

I executed commands with admin openstack user. SO i have the admin role. I do not understand this error.

I attached this file in my comment.

Many thanks for your help,

Best regards,
Mickaël

Hi Mickael,

Can you either rename the policy.json to policy.yaml or remove it altogether and see if this issue recurs?

The reason you're seeing this error is because policy.json is no longer a valid way to specify manila RBAC policies...

please see the wallaby cycle release notes: https://docs.openstack.org/releasenotes/manila/wallaby.html#relnotes-12-0-0-stable-wallaby-upgrade-notes

specifically:

 """The default value of [oslo_policy] policy_file config option has been changed from policy.json to policy.yaml. Operators who are utilizing customized or previously generated static policy JSON files (which are not needed by default), should generate new policy files or convert them in YAML format. Use the oslopolicy-convert-json-to-yaml tool to convert a JSON to YAML formatted policy file in backward compatible way."""

[Expired for OpenStack Shared File Systems Service (Manila) because there has been no activity for 60 days.]