StarlingX

sw-manager does not work with openrc downloaded from horizon

Bug #1989796 reported by Jerry Sun
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Jerry Sun

Bug Description

Brief Description
-----------------
after sourcing an openrc file downloaded from horizon, sw-manager commands fails with "Project domain name not given". This happens even with the "admin" user.

Severity
--------
Minor: System/Feature is usable with minor issue

Steps to Reproduce
------------------
log in to horizon and download the openrc file. source it. run a sw-manager command like "sw-manager patch-strategy show"

Expected Behavior
------------------
Command completes successfully, or denied if the user is not authorized

Actual Behavior
----------------
"Project domain name not given"

Reproducibility
---------------
100% reproducible

System Configuration
--------------------
multi-node system

Branch/Pull Time/Commit
-----------------------
pull 2022-09-15

Jerry Sun (jerry-sun-u)
Changed in starlingx:
assignee: nobody → Jerry Sun (jerry-sun-u)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nfv (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/nfv/+/857945

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nfv (master)

Reviewed: https://review.opendev.org/c/starlingx/nfv/+/857945
Committed: https://opendev.org/starlingx/nfv/commit/f22b46efbf91792df41db1764218a7ae89e85b43
Submitter: "Zuul (22348)"
Branch: master

commit f22b46efbf91792df41db1764218a7ae89e85b43
Author: Jerry Sun <email address hidden>
Date: Thu Sep 15 14:22:56 2022 -0400

    Set default project domain name to "Default"

    Openrc files downloaded through Horizon does not set
    OS_PROJECT_DOMAIN_NAME. This means openrc files downloaded from
    horizon cannot be used to issue commands to sw-manager, even if
    the user they refer to is supposed to be able to issue commands
    to sw-manager. This is because nfv-client rejects commands if no
    project domain name is specified.

    This commit sets the nfv-client's project domain name to "Default"
    when none is passed through command line parameters or environment
    variables.

    The "Default" domain is the default for openstack deployments and
    starlingx. Assuming it as a default will not expose a security risk
    as this information is not a secret. Users can override the default
    value of "Default" by specifying the project domain name through
    environment variables or the command line.

    A change in nvf-client is done over a change in horizon in order to
    minimize changes to components that starlingx does not own. Also,
    none of starlingx's other components uses the project domain name.

    Nfv client's authentication mechanism is not changed to use something
    other than project domain name because that is a major change, and
    could potentially cause compatibiltiy issues with
    (orchestrated) upgrades.

    Test Cases:

    PASS: sw-manager upgrade-strategy-show with /etc/platform/openrc
    PASS: sw-manager upgrade-strategy-show with admin openrc from horizon
          ensure it is successful instead of failure due to lack of
          project domain name
    PASS: sw-manager upgrad-estrategy-show with admin openrc from horizon,
          then manually specifying incorrect OS_PROJECT_DOMAIN_NAME through
          environment variable. Ensure this failed and that authentication
          actually uses this field.

    Change-Id: Ib2e22e9f5556b01115ab0adfb3c9a399825c49d5
    Closes-bug: 1989796
    Signed-off-by: Jerry Sun <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.8.0 stx.security
tags: added: stx.nfv
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.