OpenStack-Ansible

OSA creates reseller_admin role but role should be ResellerAdmin

Bug #1633221 reported by Joshua White on 2016-10-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	Undecided	Andy McCrae

Bug Description

OSA creates role reseller_admin. The issue is it seems Swift expects reseller_admin_role to be ResellerAdmin not reseller_admin.

Example Tempest fails when running with reseller_admin_role = reseller_admin: tempest.api.object_storage.test_account_quotas.AccountQuotasTest.test_admin_modify_quota.

{0} tempest.api.object_storage.test_account_quotas.AccountQuotasTest.test_admin_modify_quota [0.896237s] ... FAILED

==============================
Failed 1 tests - output below:
==============================

tempest.api.object_storage.test_account_quotas.AccountQuotasTest.test_admin_modify_quota[id-63f51f9f-5f1d-4fc6-b5be-d454d70949d6,smoke]
---------------------------------------------------------------------------------------------------------------------------------------

Captured traceback:
~~~~~~~~~~~~~~~~~~~
    Traceback (most recent call last):
      File "tempest/api/object_storage/test_account_quotas.py", line 58, in setUp
        body="")
      File "tempest/lib/common/rest_client.py", line 665, in request
        resp, resp_body)
      File "tempest/lib/common/rest_client.py", line 758, in _error_checker
        raise exceptions.Forbidden(resp_body, resp=resp)
    tempest.lib.exceptions.Forbidden: Forbidden
    Details: <html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>

Captured pythonlogging:
~~~~~~~~~~~~~~~~~~~~~~~
2016-10-13 20:55:36,992 31477 INFO [tempest.lib.common.rest_client] Request (AccountQuotasTest:setUp): 403 POST http://xxx.xxx.x.xxx:8080/v1/AUTH_06c36adfe0b14834b147e6aac077937f 0.894s

Solution I believe:

Instead of creating reseller_admin role on deployment create ResellerAdmin role.

See original description

Tags:

Joshua White (joshua-l-white) on 2016-10-13

summary:	- Tempest conf reseller_admin_role defaults to reseller_admin + OSA creates reseller_admin role but role should be ResellerAdmin
description:	updated

Praveen N (praveenn) on 2016-10-14

Changed in openstack-ansible:
assignee:	nobody → Praveen N (praveenn)

Jean-Philippe Evrard (jean-philippe-evrard) on 2016-10-14

tags:

added: newton-rc-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-14: Fix proposed to openstack-ansible-os_swift (master)

Fix proposed to branch: master
Review: https://review.openstack.org/386652

Changed in openstack-ansible:
assignee:	Praveen N (praveenn) → Andy McCrae (andrew-mccrae)
status:	New → In Progress

Revision history for this message

Andy McCrae (andrew-mccrae) wrote on 2016-10-14:

Hi Joshua,

We weren't actually creating the role at all (unless you used Ceilometer, in which case it was created as "ResellerAdmin" correctly.)

That's a minor thing, but I agree perhaps we should create the role since we're setting it in the configuration, it is then up to the operator to add the ResellerAdmin role to users as required.

The Review I've posted will set the role up automatically now, but won't add it to any users (unless you are using ceilometer).

I hope that resolves your issues, but you should be able to create the role and assign it to users manually in the meantime!

Revision history for this message

Joshua White (joshua-l-white) wrote on 2016-10-14:

Hi Andy,

Thanks! Yes that is all that is needed. If the role is created everything should work on good on my end.

Changed in openstack-ansible:
assignee:	Andy McCrae (andrew-mccrae) → Joshua White (joshua-l-white)

OpenStack Infra (hudson-openstack) on 2016-10-14

Changed in openstack-ansible:
assignee:	Joshua White (joshua-l-white) → Andy McCrae (andrew-mccrae)

Revision history for this message

Joshua White (joshua-l-white) wrote on 2016-10-14:

Hi Andy,

I forgot to mention, I would need this change to be reflected from Mitaka as well, to Master.

Revision history for this message

Andy McCrae (andrew-mccrae) wrote on 2016-10-14:

Hi Joshua, No problem - once it merges we can backport it to Mitaka

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-16: Fix merged to openstack-ansible-os_swift (master)

Reviewed: https://review.openstack.org/386652
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_swift/commit/?id=8e14baa7fb27d43d5845818660517938644db0b6
Submitter: Jenkins
Branch: master

commit 8e14baa7fb27d43d5845818660517938644db0b6
Author: Andy McCrae <email address hidden>
Date: Fri Oct 14 15:52:32 2016 +0100

Always setup ResellerAdmin role in keystone

    The ResellerAdmin role should be setup in keystone regardless of whether
    we are using Ceilometer or not. This will allow operators to add the
    ResellerAdmin role to users - which should then be allowed to operate on
    any account.

Change-Id: I3c5ede01266b126705b42b086107a9232a85bf94
Closes-Bug: #1633221

Changed in openstack-ansible:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-16: Fix proposed to openstack-ansible-os_swift (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/387019

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-17: Fix merged to openstack-ansible-os_swift (stable/newton)

Reviewed: https://review.openstack.org/387019
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_swift/commit/?id=0e7a7a36c5729d965d25d1267692bb2342fbdad6
Submitter: Jenkins
Branch: stable/newton

commit 0e7a7a36c5729d965d25d1267692bb2342fbdad6
Author: Andy McCrae <email address hidden>
Date: Fri Oct 14 15:52:32 2016 +0100

Always setup ResellerAdmin role in keystone

    Change-Id: I3c5ede01266b126705b42b086107a9232a85bf94
    Closes-Bug: #1633221
    (cherry picked from commit 8e14baa7fb27d43d5845818660517938644db0b6)

tags:

added: in-stable-newton

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-17: Fix proposed to openstack-ansible-os_swift (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/387504

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-17: Fix merged to openstack-ansible-os_swift (stable/mitaka)

#10

Reviewed: https://review.openstack.org/387504
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_swift/commit/?id=5fbb25e7c5c139fbe9462f27b6a0afc20a4fffef
Submitter: Jenkins
Branch: stable/mitaka

commit 5fbb25e7c5c139fbe9462f27b6a0afc20a4fffef
Author: Andy McCrae <email address hidden>
Date: Mon Oct 17 15:45:31 2016 +0100

Always setup ResellerAdmin role in keystone

    Change-Id: I3c5ede01266b126705b42b086107a9232a85bf94
    Closes-Bug: #1633221
    (cherry picked from commit 8e14baa7fb27d43d5845818660517938644db0b6)

tags:

added: in-stable-mitaka

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-19: Fix included in openstack/openstack-ansible-os_swift 14.0.0.0rc4

#11

This issue was fixed in the openstack/openstack-ansible-os_swift 14.0.0.0rc4 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-21: Fix included in openstack/openstack-ansible-os_swift 13.3.6

#12

This issue was fixed in the openstack/openstack-ansible-os_swift 13.3.6 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-18: Fix included in openstack/openstack-ansible-os_swift 15.0.0.0b1

#13

This issue was fixed in the openstack/openstack-ansible-os_swift 15.0.0.0b1 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.