tripleo

Heat: policy rules should be present for heat-engine

Bug #1983342 reported by Takashi Kajinami
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
High
Takashi Kajinami
tripleo zed-1

Bug Description

Description
===========

This was initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=2113819 .
The heat-engine service requires access to policy rules so that it can enforce policy rules for resource types.
 https://bugs.launchpad.net/puppet-heat/+bug/1983340

However currently the heat::policy class is not loaded when generating config files for heat-engine service, and the oslo.policy options are not rendered into the heat.conf file for heat-engine.

This prevents users from setting resource type policy rules by HeatApiPolicies.

Steps to reproduce
==================
* Create an environment file to define a resource type policy by HeatApiPolicies.

  parameter_defaults:
    HeatApiPolicies:
      'resource_types:OS::Nova::Flavor': ''

* Deploy overcloud/standalone with the environment file

* Create a stack with the flavor by a non-admin user

Expected result
===============
* Stack creation succeeds without error

Actual result
=============
* Stack creation fails because the user is not allowed to create a flavor resource

Environment
===========
* This issue was initially found in our downstream product based on stable/train

Logs & Configs
==============
N/A

See original description
Takashi Kajinami (kajinamit)
description: updated
Changed in tripleo:
importance: Undecided → High
assignee: nobody → Takashi Kajinami (kajinamit)
milestone: none → zed-1
tags: added: train-backport-potential wallaby-backport-potential
Changed in tripleo:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/851803

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/851806

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/851803
Committed: https://opendev.org/openstack/puppet-tripleo/commit/b58a5dcb1c7afc923b8deda7f9ada60ce661099b
Submitter: "Zuul (22348)"
Branch: master

commit b58a5dcb1c7afc923b8deda7f9ada60ce661099b
Author: Takashi Kajinami <email address hidden>
Date: Tue Aug 2 16:38:30 2022 +0900

    Heat: Manage policy settings in heat-engine

    The heat-engine service requires access to policy rules so that it can
    enforce resource type policies. This change ensures the policy file and
    the related oslo.policy options are configured in the heat-engine
    service.

    Change-Id: I56511722315f265c6a88c2e112571fe70b6cebf4
    Partial-Bug: #1983342

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/853769

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/851806
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/d503ee5fc93c0b8303f8cb4de92d3b1f50c38237
Submitter: "Zuul (22348)"
Branch: master

commit d503ee5fc93c0b8303f8cb4de92d3b1f50c38237
Author: Takashi Kajinami <email address hidden>
Date: Tue Aug 2 16:43:27 2022 +0900

    Heat: Present policy rules for all services

    The policy rules are used not only by heat-api but also by heat-api-cfn
    and heat-engine. This change ensures the policy rules defined by
    the HeatApiPolicies parameter is rendered into hieradata in the node
    where these heat services are running, even if these services run on
    separate nodes.

    Change-Id: Ic278c69110d427118c5ff9b4bddc72493434154a
    Closes-Bug: #1983342
    Depends-on: https://review.opendev.org/851803

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/854903

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/853769
Committed: https://opendev.org/openstack/puppet-tripleo/commit/ba988212168c95473c07d6cf8e32800f96be0d70
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit ba988212168c95473c07d6cf8e32800f96be0d70
Author: Takashi Kajinami <email address hidden>
Date: Tue Aug 2 16:38:30 2022 +0900

    Heat: Manage policy settings in heat-engine

    The heat-engine service requires access to policy rules so that it can
    enforce resource type policies. This change ensures the policy file and
    the related oslo.policy options are configured in the heat-engine
    service.

    Change-Id: I56511722315f265c6a88c2e112571fe70b6cebf4
    Partial-Bug: #1983342
    (cherry picked from commit b58a5dcb1c7afc923b8deda7f9ada60ce661099b)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-tripleo (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/puppet-tripleo/+/861128

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/861129

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/854903
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/69bdb2d6b68be232a9ea7902559c0a2f18bddbe5
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 69bdb2d6b68be232a9ea7902559c0a2f18bddbe5
Author: Takashi Kajinami <email address hidden>
Date: Tue Aug 2 16:43:27 2022 +0900

    Heat: Present policy rules for all services

    The policy rules are used not only by heat-api but also by heat-api-cfn
    and heat-engine. This change ensures the policy rules defined by
    the HeatApiPolicies parameter is rendered into hieradata in the node
    where these heat services are running, even if these services run on
    separate nodes.

    Backport note:
    This backport additionally removes the HeatApiPolicies parameter from
    heat-api, because stable/wallaby and older releases do not have [1].

    [1] f63176e97a19f5587e5cc8a7064109d6b8a4441c

    Change-Id: Ic278c69110d427118c5ff9b4bddc72493434154a
    Closes-Bug: #1983342
    Depends-on: https://review.opendev.org/853769
    (cherry picked from commit d503ee5fc93c0b8303f8cb4de92d3b1f50c38237)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-tripleo (stable/train)

Reviewed: https://review.opendev.org/c/openstack/puppet-tripleo/+/861128
Committed: https://opendev.org/openstack/puppet-tripleo/commit/6347422fde15f6e228d430263a2b5e2574df3e74
Submitter: "Zuul (22348)"
Branch: stable/train

commit 6347422fde15f6e228d430263a2b5e2574df3e74
Author: Takashi Kajinami <email address hidden>
Date: Tue Aug 2 16:38:30 2022 +0900

    Heat: Manage policy settings in heat-engine

    The heat-engine service requires access to policy rules so that it can
    enforce resource type policies. This change ensures the policy file and
    the related oslo.policy options are configured in the heat-engine
    service.

    Conflicts:
            manifests/profile/base/heat/engine.pp

    Resolved conflicts caused by absolute class names used in stable/train.
    We replaced absolute class names by relative class names during ussuri
    cycle following the updated lint rules.

    Change-Id: I56511722315f265c6a88c2e112571fe70b6cebf4
    Partial-Bug: #1983342
    (cherry picked from commit b58a5dcb1c7afc923b8deda7f9ada60ce661099b)
    (cherry picked from commit ba988212168c95473c07d6cf8e32800f96be0d70)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/861129
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/ef6bdb31288e1c0eb47fc7fa80f05ba5941078e8
Submitter: "Zuul (22348)"
Branch: stable/train

commit ef6bdb31288e1c0eb47fc7fa80f05ba5941078e8
Author: Takashi Kajinami <email address hidden>
Date: Tue Aug 2 16:43:27 2022 +0900

    Heat: Present policy rules for all services

    The policy rules are used not only by heat-api but also by heat-api-cfn
    and heat-engine. This change ensures the policy rules defined by
    the HeatApiPolicies parameter is rendered into hieradata in the node
    where these heat services are running, even if these services run on
    separate nodes.

    Backport note:
    This backport additionally removes the HeatApiPolicies parameter from
    heat-api, because stable/wallaby and older releases do not have [1].

    [1] f63176e97a19f5587e5cc8a7064109d6b8a4441c

    Change-Id: Ic278c69110d427118c5ff9b4bddc72493434154a
    Closes-Bug: #1983342
    Depends-on: https://review.opendev.org/861128
    (cherry picked from commit d503ee5fc93c0b8303f8cb4de92d3b1f50c38237)
    (cherry picked from commit 69bdb2d6b68be232a9ea7902559c0a2f18bddbe5)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 17.0.0

This issue was fixed in the openstack/tripleo-heat-templates 17.0.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates train-eol

This issue was fixed in the openstack/tripleo-heat-templates train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.