skyline console

Skyline system scope support

Bug #2013056 reported by J
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
skyline console
Confirmed
Wishlist
Boxiang Zhu

Bug Description

Hi All,

I have started testing Skyline Console and API recently with enabled domains in keystone and noticed a problem which is similar to https://bugs.launchpad.net/horizon/+bug/1971592. As for quick analysis, Skyline is not generating system scope token to perform system scope operations.

2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application oslo_policy.policy.InvalidScope: "identity:list_domains": "role:reader and system_scope:all" requires a scope of ['system'], request was made with project scope.

Steps to reproduce:
- Default configuration of Openstack with enabled Skyline Console and Skyline API
- created skyline user with system scope admin role and admin role in service project
- enforce_scope set to true in keystone.conf

Expected Result:
As for keystone documentation, list_domains action needs role:reader and system_scope:all, which should be satisfied by adding admin role with system scope to skyline user

| Role | User | Group | Project | Domain | System | Inherited |
| admin | skyline@Default | | | | all | False |
| admin | skyline@Default | | service@Default | | | False |

Domains should be visible in skyline login page in a dropdown menu.

Actual result:

Domains are not listed in dropdown menu. Following events are visible in keystone logs:

2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application oslo_policy.policy.InvalidScope: "identity:list_domains": "role:reader and system_scope:all" requires a scope of ['system'], request was made with project scope.

2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application During handling of the above exception, another exception occurred:
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application Traceback (most recent call last):
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1820, in full_dispatch_request
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application rv = self.dispatch_request()
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/app.py", line 1796, in dispatch_request
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py", line 467, in wrapper
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application resp = resource(*args, **kwargs)
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask/views.py", line 107, in view
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application return current_app.ensure_sync(self.dispatch_request)(**kwargs)
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/flask_restful/__init__.py", line 582, in dispatch_request
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application resp = meth(*args, **kwargs)
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py", line 90, in get
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application return self._list_domains()
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/domains.py", line 102, in _list_domains
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application ENFORCER.enforce_call(action='identity:list_domains',
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/common/rbac_enforcer/enforcer.py", line 455, in enforce_call
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application enforcer_obj._enforce(
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.10/site-packages/keystone/common/rbac_enforcer/enforcer.py", line 130, in _enforce
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application raise exception.ForbiddenAction(action=action)
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application keystone.exception.ForbiddenAction: You are not authorized to perform the requested action: identity:list_domains.
2023-03-28 10:07:08.444 23 ERROR keystone.server.flask.application

Environment:
- Fresh install of Openstack master from kolla ansible
- skyline-apiserver 1.1.0.dev19
- docker image based on ubuntu 22.04

skyline_apiserver.yaml:
default:
  access_token_expire: 3600
  access_token_renew: 1800
  cors_allow_origins: []
  database_url: mysql://skyline:*redacted*@10.6.44.210:3306/skyline
  debug: True
  log_dir: /var/log/kolla/skyline
  secret_key: *redacted*
  session_name: session
openstack:
  base_domains:
  - heat_user_domain
  default_region: LAB-01
  extension_mapping:
    floating-ip-port-forwarding: neutron_port_forwarding
    qos: neutron_qos
    vpnaas: neutron_vpn
  keystone_url: http://10.6.44.210:5000/v3/
  nginx_prefix: /api/openstack
  reclaim_instance_interval: 604800
  service_mapping:
    compute: nova
    identity: keystone
    image: glance
    key-manager: barbican
    network: neutron
    orchestration: heat
    placement: placement
    volumev3: cinder
  system_admin_roles:
  - admin
  system_project: service
  system_project_domain: Default
  system_reader_roles:
  - system_reader
  system_user_domain: Default
  system_user_name: skyline
  system_user_password: *redacted*

When should we expect scopes to be implemented in skyline?

Revision history for this message
Boxiang Zhu (bxzhu-5355) wrote :

Thanks for your tests for skyline. We(skyline team) will discuess this and try how to support system scope in skyline.

Changed in skyline-console:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Boxiang Zhu (bxzhu-5355)
importance: Medium → Wishlist
Revision history for this message
J (unrec0gnized) wrote :

Thank you very much for your time and quick response. Looking forward for those features.

Regards,
J

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.