OpenStack-Ansible

cinder extend "Policy doesn't allow os_compute_api:os-server-external-events:create to be performed"

Bug #1902914 reported by Ryan Fuerst
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack-Ansible
Fix Released
Medium
Dmitriy Rabotyagov

Bug Description

Missing conf options in [nova] section of cinder.conf

When trying to extend an active & attached cinder volume you get the below error in cinder-volume.log

Policy doesn't allow os_compute_api:os-server-external-events:create to be performed

This is caused by missing configuration options in the [nova] section of cinder.conf that is not fully configuring the access needed for cinder to talk to nova.

current template has this

[nova]
interface = admin
insecure = {{ keystone_service_internaluri_insecure | bool }}

I believe something around these lines should do the trick

[nova]
interface = admin
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_type = {{ cinder_keystone_auth_plugin }}
auth_url = {{ keystone_service_internaluri }}/v3
password = {{ nova_service_password }}
project_domain_id = default
project_name = service
region_name = {{ nova_service_region }}
user_domain_id = default
username = {{ nova_service_user_name }}

Relates to this defect over at Red Hat

https://access.redhat.com/solutions/3675991

Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

Hi,

Thanks for reporting this. Unfortunately we don't have access to redhat portal. I assume, that adjusting nova policy should also do the trick?

Revision history for this message
Ryan Fuerst (rfuerst42) wrote :

Updating the [nova] settings in cinder.conf did the trick to include the credentials. Was never able to figure out a policy adjustment for this.

Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

Well, it's interesting, since I don't see these options among supported for cinder: https://docs.openstack.org/cinder/latest/configuration/block-storage/config-options.html#id7

But seems you're right and this part will try to use creds https://opendev.org/openstack/cinder/src/branch/master/cinder/compute/nova.py#L98-L100

The only concern left is won't it make any security issues, since all requests to nova will be issued with admin credentials instead of user ones.

Revision history for this message
Dmitriy Rabotyagov (noonedeadpunk) wrote :

Worth mentioning that the issue is raised when resize is accomplished with tenant privileges (with admin it's passing nicely)

Changed in openstack-ansible:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to openstack-ansible-os_cinder (master)

Fix proposed to branch: master
Review: https://review.opendev.org/761637

Changed in openstack-ansible:
assignee: nobody → Dmitriy Rabotyagov (noonedeadpunk)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_cinder (master)

Reviewed: https://review.opendev.org/761637
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible-os_cinder/commit/?id=00a38c6584c09168faad135f10d265ad9c86efba
Submitter: Zuul
Branch: master

commit 00a38c6584c09168faad135f10d265ad9c86efba
Author: Dmitriy Rabotyagov <email address hidden>
Date: Thu Nov 5 18:41:50 2020 +0200

    Define credentials for nova interaction

    By default cinder will use tenant token for interaction with nova.
    However for resize of the in-use volume cinder needs to have admin
    credentials set for such kind of interactions

    Change-Id: Id32d3a5727fc96e07e09332beb7265610e5c8b10
    Closes-Bug: #1902914

Changed in openstack-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to openstack-ansible-os_cinder (stable/train)

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_cinder/+/778113
Committed: https://opendev.org/openstack/openstack-ansible-os_cinder/commit/ef9c10297b31cba58786bbd79cc4573b15f77d9e
Submitter: "Zuul (22348)"
Branch: stable/train

commit ef9c10297b31cba58786bbd79cc4573b15f77d9e
Author: Dmitriy Rabotyagov <email address hidden>
Date: Thu Nov 5 18:41:50 2020 +0200

    Define credentials for nova interaction

    By default cinder will use tenant token for interaction with nova.
    However for resize of the in-use volume cinder needs to have admin
    credentials set for such kind of interactions

    Change-Id: Id32d3a5727fc96e07e09332beb7265610e5c8b10
    Closes-Bug: #1902914
    (cherry picked from commit 00a38c6584c09168faad135f10d265ad9c86efba)
    (cherry picked from commit 1e6ec68a1d595fa9c0772b2edc4b1c1eafae38c3)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder train-eol

This issue was fixed in the openstack/openstack-ansible-os_cinder train-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder ussuri-eol

This issue was fixed in the openstack/openstack-ansible-os_cinder ussuri-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder yoga-eom

This issue was fixed in the openstack/openstack-ansible-os_cinder yoga-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder victoria-eom

This issue was fixed in the openstack/openstack-ansible-os_cinder victoria-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder wallaby-eom

This issue was fixed in the openstack/openstack-ansible-os_cinder wallaby-eom release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstack-ansible-os_cinder xena-eom

This issue was fixed in the openstack/openstack-ansible-os_cinder xena-eom release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.