New Secure RBAC policies broke devstack-enforce-scope job

Bug #1959196 reported by Slawek Kaplonski
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Critical
Slawek Kaplonski

Bug Description

After patch https://review.opendev.org/c/openstack/neutron/+/821208 was merged job devstack-enforce-scope is broken.
Failure example: https://5764001d47a5e80d3ade-02618f010e74d581319c83aa0d27e1a8.ssl.cf2.rackcdn.com/825920/2/gate/devstack-enforce-scope/bbedfce/controller/logs/devstacklog.txt

Error in Neutron:

Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation [None req-4c4da8bd-be81-47ae-b700-f68b7f1a68d0 None admin] POST failed.: oslo_policy.policy.InvalidScope: rule:get_subnetpool requires a scope of ['project'], request was made with system scope.
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation Traceback (most recent call last):
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/pecan_wsgi/hooks/policy_enforcement.py", line 134, in before
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation policy.enforce(
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 524, in enforce
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation LOG.debug("Failed policy check for '%s'", action)
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_utils/excutils.py", line 227, in __exit__
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation self.force_reraise()
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation raise self.value
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 519, in enforce
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation result = _ENFORCER.enforce(rule, target, context, action=action,
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_policy/policy.py", line 1084, in enforce
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation raise PolicyNotAuthorized(rule, target, creds)
Jan 26 22:30:16.592774 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation oslo_policy.policy.PolicyNotAuthorized: ((rule:create_subnetpool and rule:create_subnetpool:is_default) and rule:create_subnetpool:shared) is disallowed by policy
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation During handling of the above exception, another exception occurred:
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation Traceback (most recent call last):
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 692, in __call__
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation controller, args, kwargs = self.find_controller(state)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 870, in find_controller
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation controller, args, kw = super(Pecan, self).find_controller(_state)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 560, in find_controller
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation self.handle_hooks(self.determine_hooks(controller), 'before', state)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 877, in handle_hooks
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation return super(Pecan, self).handle_hooks(hooks, *args, **kw)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/pecan/core.py", line 342, in handle_hooks
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation result = getattr(hook, hook_type)(*args)
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/pecan_wsgi/hooks/policy_enforcement.py", line 144, in before
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation if not policy.check(neutron_context, s_action, item,
Jan 26 22:30:16.593467 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 486, in check
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation result = _ENFORCER.enforce(match_rule,
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_policy/policy.py", line 1045, in enforce
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation self._enforce_scope(creds, rule)
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation File "/usr/local/lib/python3.8/dist-packages/oslo_policy/policy.py", line 1102, in _enforce_scope
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation raise InvalidScope(
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation oslo_policy.policy.InvalidScope: rule:get_subnetpool requires a scope of ['project'], request was made with system scope.
Jan 26 22:30:16.594094 ubuntu-focal-ovh-bhs1-0028185957 neutron-server[89841]: ERROR neutron.pecan_wsgi.hooks.translation

Tags: gate-failure
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/827302

Revision history for this message
Slawek Kaplonski (slaweq) wrote :
Changed in neutron:
status: Confirmed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/827302
Committed: https://opendev.org/openstack/neutron/commit/a1c7e4cf575d1ee0b5bdc4da9caed0c7449e7b08
Submitter: "Zuul (22348)"
Branch: master

commit a1c7e4cf575d1ee0b5bdc4da9caed0c7449e7b08
Author: Slawek Kaplonski <email address hidden>
Date: Tue Feb 1 15:36:05 2022 +0100

    Add devstack-enforce-scope job to our periodic queue

    Now, as Neutron's enforce scopes and new default policies are supported
    and it can be enabled in Devstack, lets have CI job in periodic queue to
    make sure we don't break it (again).

    Related-Bug: #1959196
    Change-Id: I3f497b58357a2b0be5cb83b5d4a463e433a1524d

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.