OpenStack-Ansible

Cases of role _member_ across OSA may need updating to member

Bug #2029486 reported by Andrew Bonney on 2023-08-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack-Ansible	Fix Released	High	Dmitriy Rabotyagov

Bug Description

Keystone introduced default roles of member, reader and admin in Rocky. Service policy has gradually been adopting these roles, and with enforcement switching on for Nova in 2023.1 they become more important. Historically it appears that OSA created a default '_member_' role, but when new policy is enabled this isn't sufficient for users to perform basic operations.

A workaround for existing deployments using '_member_' appears to be to create an 'implied role' in Keystone linking '_member_' to 'member', but in order for fresh deployments to work out of the box it appears that a number of OSA roles require cleanup to use the new default role name:

The following codesearch points at repos which might require attention: https://tinyurl.com/muvt57jm

Dmitriy Rabotyagov (noonedeadpunk) on 2023-08-08

Changed in openstack-ansible:
assignee:	nobody → Dmitriy Rabotyagov (noonedeadpunk)
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

admin0 (shashi-eu) wrote on 2023-08-14:

I upgraded OSA from 26.1.1 -> 27.0.1 and encoured the issue where it started giving errors like "Policy doesn't allow os_compute_api:servers:detail to be performed. (HTTP 403) (Request-ID: xx-xx-xx)"

The fix was to change the role of the user from _member_ to member (without the underscores). Validated by logging as a user with access to two projects, where the one wilth _member_ role gives error and the one with just "member" does not.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-15: Related fix proposed to openstack-ansible (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible/+/891400

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-15: Related fix proposed to openstack-ansible-os_ironic (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/891461

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-15: Related fix proposed to openstack-ansible-os_adjutant (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/891462

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-15: Related fix proposed to openstack-ansible-os_sahara (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/891463

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-15: Related fix proposed to openstack-ansible-os_horizon (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/891464

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-15: Related fix proposed to openstack-ansible-os_swift (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/891465

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-15: Related fix proposed to openstack-ansible-os_keystone (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/891466

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-15: Fix proposed to openstack-ansible (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/openstack-ansible/+/891473

Dmitriy Rabotyagov (noonedeadpunk) on 2023-08-15

Changed in openstack-ansible:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-17: Related fix merged to openstack-ansible-os_ironic (master)

#10

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/891461
Committed: https://opendev.org/openstack/openstack-ansible-os_ironic/commit/f5180b7ba111c8ea3d6e0a4ab6b8d66363bf18d6
Submitter: "Zuul (22348)"
Branch: master

commit f5180b7ba111c8ea3d6e0a4ab6b8d66363bf18d6
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:02:56 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I3ee97d4b7a3070211dbba3824f9d605da3b8bd01
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-17: Related fix merged to openstack-ansible-os_keystone (master)

#11

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/891466
Committed: https://opendev.org/openstack/openstack-ansible-os_keystone/commit/9ca29f5754a89035e23d58dc7d618da6133e2501
Submitter: "Zuul (22348)"
Branch: master

commit 9ca29f5754a89035e23d58dc7d618da6133e2501
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:18:45 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-17: Related fix merged to openstack-ansible-os_swift (master)

#12

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/891465
Committed: https://opendev.org/openstack/openstack-ansible-os_swift/commit/1d0bba49a7ff8b469007d596451927374a2e2c2e
Submitter: "Zuul (22348)"
Branch: master

commit 1d0bba49a7ff8b469007d596451927374a2e2c2e
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:10:38 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I4d6eacae2041b0a00114dda4e8315d4ec6295319
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-17: Related fix merged to openstack-ansible (master)

#13

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible/+/891400
Committed: https://opendev.org/openstack/openstack-ansible/commit/5d0dc724867d86bcc708236424da62be83cc2958
Submitter: "Zuul (22348)"
Branch: master

commit 5d0dc724867d86bcc708236424da62be83cc2958
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 12:59:17 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Related-Bug: #2029486
Change-Id: If492469acc3832d822877777e9a66fef69a10249

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-21: Related fix merged to openstack-ansible-os_sahara (master)

#14

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/891463
Committed: https://opendev.org/openstack/openstack-ansible-os_sahara/commit/2843f27804fd88b5e03d4e760d22cd7c1de5308b
Submitter: "Zuul (22348)"
Branch: master

commit 2843f27804fd88b5e03d4e760d22cd7c1de5308b
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:06:58 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: Ie43a6edc4ef44b7b92905cf9d59be53edeb1b946
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-21: Fix merged to openstack-ansible (stable/2023.1)

#15

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible/+/891473
Committed: https://opendev.org/openstack/openstack-ansible/commit/8d5be31297606d54ba77d8368fba0cb174464ff8
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 8d5be31297606d54ba77d8368fba0cb174464ff8
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 15:23:54 2023 +0200

Make `_member_` role to imply `member`

With policy updates _member_ role is not valid one anymore
and does not grant reader or member permissions.

    Since plenty of deployments still does have legacy _member_ role,
    we're adding extra upgrade step, that will make legacy
    `_member_` role to imply currently relevant `member`.

While this will work for most usacases, due to the keystone bug #2030061
application credentails with _member_ role still will be affected.

Closes-Bug: #2029486
Change-Id: Ia0c5773d512b868ee3374b8ee1729982e4f722e3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-21: Related fix merged to openstack-ansible-os_horizon (master)

#16

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/891464
Committed: https://opendev.org/openstack/openstack-ansible-os_horizon/commit/b9cc0f3cdede7b581d4823932c52ad1e5aee0ab4
Submitter: "Zuul (22348)"
Branch: master

commit b9cc0f3cdede7b581d4823932c52ad1e5aee0ab4
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:08:36 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I99bf418c6cb93d5f3cafc818a8cc876a49fb0357
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-21: Related fix proposed to openstack-ansible-os_horizon (stable/2023.1)

#17

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/892094

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-21: Related fix proposed to openstack-ansible-os_sahara (stable/2023.1)

#18

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/892095

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-21: Related fix proposed to openstack-ansible-os_swift (stable/2023.1)

#19

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/892097

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-21: Related fix proposed to openstack-ansible-os_keystone (stable/2023.1)

#20

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/892098

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-21: Related fix proposed to openstack-ansible (stable/2023.1)

#21

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/openstack-ansible/+/892096

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-21: Related fix proposed to openstack-ansible-os_ironic (stable/2023.1)

#22

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/892100

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-21: Related fix proposed to openstack-ansible-os_adjutant (stable/2023.1)

#23

Related fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/892099

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-22: Related fix merged to openstack-ansible-os_keystone (stable/2023.1)

#24

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_keystone/+/892098
Committed: https://opendev.org/openstack/openstack-ansible-os_keystone/commit/ea58c9f8f5825cf9e699c6a00f5e528b58ff8e45
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit ea58c9f8f5825cf9e699c6a00f5e528b58ff8e45
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:18:45 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I5732f9197902fccb96eb8537050849a1692d3725
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-22: Related fix merged to openstack-ansible-os_ironic (stable/2023.1)

#25

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_ironic/+/892100
Committed: https://opendev.org/openstack/openstack-ansible-os_ironic/commit/ae70d0bccf907397e5f03e1a242620f1c6163679
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit ae70d0bccf907397e5f03e1a242620f1c6163679
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:02:56 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I3ee97d4b7a3070211dbba3824f9d605da3b8bd01
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-22: Related fix merged to openstack-ansible-os_swift (stable/2023.1)

#26

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_swift/+/892097
Committed: https://opendev.org/openstack/openstack-ansible-os_swift/commit/759957d1387a3fcdf224ab7a638cc1880a13cc56
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 759957d1387a3fcdf224ab7a638cc1880a13cc56
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:10:38 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I4d6eacae2041b0a00114dda4e8315d4ec6295319
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-22: Related fix merged to openstack-ansible-os_horizon (stable/2023.1)

#27

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_horizon/+/892094
Committed: https://opendev.org/openstack/openstack-ansible-os_horizon/commit/b4b60f5fee7c5c1b6297e864bba5cd18edf0efae
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit b4b60f5fee7c5c1b6297e864bba5cd18edf0efae
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:08:36 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I99bf418c6cb93d5f3cafc818a8cc876a49fb0357
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-22: Related fix merged to openstack-ansible (stable/2023.1)

#28

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible/+/892096
Committed: https://opendev.org/openstack/openstack-ansible/commit/558104d0783238519f38f60ed488f87cc743fc12
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 558104d0783238519f38f60ed488f87cc743fc12
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 12:59:17 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Related-Bug: #2029486
Change-Id: If492469acc3832d822877777e9a66fef69a10249

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-08-31: Related fix merged to openstack-ansible-os_sahara (stable/2023.1)

#29

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_sahara/+/892095
Committed: https://opendev.org/openstack/openstack-ansible-os_sahara/commit/de7a652715d74c49d11db2a7cd09feab4fd6bbdc
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit de7a652715d74c49d11db2a7cd09feab4fd6bbdc
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:06:58 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: Ie43a6edc4ef44b7b92905cf9d59be53edeb1b946
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-09-06: Related fix merged to openstack-ansible-os_adjutant (stable/2023.1)

#30

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/892099
Committed: https://opendev.org/openstack/openstack-ansible-os_adjutant/commit/5e4e5311bf1b6559284eb6d757f57b3cf40d631d
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 5e4e5311bf1b6559284eb6d757f57b3cf40d631d
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:04:22 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I08be0504b6408132b56493d6b38c485a95b413eb
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-09-11: Related fix merged to openstack-ansible-os_adjutant (master)

#31

Reviewed: https://review.opendev.org/c/openstack/openstack-ansible-os_adjutant/+/891462
Committed: https://opendev.org/openstack/openstack-ansible-os_adjutant/commit/d2971b15670bfebef6d88a21f319d7f514e6cb8c
Submitter: "Zuul (22348)"
Branch: master

commit d2971b15670bfebef6d88a21f319d7f514e6cb8c
Author: Dmitriy Rabotyagov <email address hidden>
Date: Tue Aug 15 13:04:22 2023 +0200

Stop reffering _member_ role

Keystone has stopped providing or reffering `_member_` role for a while,
thus role should not be refferenced anymore.

Moreover, with 2023.1 service policies have dropped `_member_`
which resulted in the role to be insufficient for basic operations.

Change-Id: I08be0504b6408132b56493d6b38c485a95b413eb
Related-Bug: #2029486

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-09-14: Fix included in openstack/openstack-ansible 27.1.0

#32

This issue was fixed in the openstack/openstack-ansible 27.1.0 release.

Dmitriy Rabotyagov (noonedeadpunk) on 2023-10-06

Changed in openstack-ansible:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.