tempest

Some tests fail when running keystone v3 with policy.v3cloudsample.json

Bug #1659515 reported by Liam Young
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tempest
Expired
Undecided
Unassigned

Bug Description

Running tempest full against a Keystone v3 enabled cloud using the stable newton policy.v3cloudsample.json *1 is failing for me.

What I'm seeing is that some tests (like tempest.api.compute.admin.test_quotas) fail when they try and list_domains. This seems to be because the test creates:

1) A new project in the admin domain
2) A new user in the admin domain
3) Grants the admin role on the new project to the new user.

The test then authenticates with the new users credentials and attempts to list_domains. The policy.json, however, has:

    "cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:363ab68785c24c81a784edca1bceb935)",
...
    "identity:list_domains": "rule:cloud_admin",

From tempest I see:

======================================================================
FAIL: tempest.api.compute.admin.test_quotas.QuotasAdminTestJSON.test_delete_quota[id-389d04f0-3a41-405f-9317-e5f86e3c44f0]
tags: worker-0
----------------------------------------------------------------------
Empty attachments:
  stderr
  stdout

pythonlogging:'': {{{2017-01-23 15:57:09,806 2014 INFO [tempest.lib.common.rest_client] Request (QuotasAdminTestJSON:test_delete_quota): 403 GET http://10.5.36.109:35357/v3/domains?name=admin_domain 0.066s}}}

Traceback (most recent call last):
  File "tempest/api/compute/admin/test_quotas.py", line 128, in test_delete_quota
    project = self.identity_utils.create_project(name=project_name,
  File "tempest/test.py", line 470, in identity_utils
    project_domain_name=domain)
  File "tempest/lib/common/cred_client.py", line 210, in get_creds_client
    roles_client, domains_client, project_domain_name)
  File "tempest/lib/common/cred_client.py", line 142, in __init__
    name=domain_name)['domains'][0]
  File "tempest/lib/services/identity/v3/domains_client.py", line 57, in list_domains
    resp, body = self.get(url)
  File "tempest/lib/common/rest_client.py", line 290, in get
    return self.request('GET', url, extra_headers, headers)
  File "tempest/lib/common/rest_client.py", line 663, in request
    self._error_checker(resp, resp_body)
  File "tempest/lib/common/rest_client.py", line 755, in _error_checker
    raise exceptions.Forbidden(resp_body, resp=resp)
tempest.lib.exceptions.Forbidden: Forbidden
Details: {u'message': u'You are not authorized to perform the requested action: identity:list_domains', u'code': 403, u'title': u'Forbidden'}

In the keystone log I see:

(keystone.policy.backends.rules): 2017-01-23 15:35:57,198 DEBUG enforce identity:list_domains: {'is_delegated_auth': False,
'access_token_id': None,
'user_id': u'3fd9e70825d648d996080d855cf9c181',
'roles': [u'Admin'],
'user_domain_id': u'363ab68785c24c81a784edca1bceb935',
'consumer_id': None,
'trustee_id': None,
'is_domain': False,
'trustor_id': None,
'token': <KeystoneToken (audit_id=4cQHEfwhSvuvibK4TAjKUw, audit_chain_id=4cQHEfwhSvuvibK4TAjKUw) at 0x7fbcceaa33c8>,
'project_id': u'b48ba24e96d84de4a48077b9310faac7',
'trust_id': None,
'project_domain_id': u'363ab68785c24c81a784edca1bceb935'}
(keystone.common.wsgi): 2017-01-23 15:35:57,199 WARNING You are not authorized to perform the requested action: identity:list_domains

This appears to be project scoped. If I update the policy.json to grant cloud_admin if the project is the admin domain then that seems to fix things. The change I'm trying is:

 3c3,4
< "cloud_admin": "role:admin and (token.is_admin_project:True or domain_id:admin_domain_id)",
---
> "bob": "project_domain_id:363ab68785c24c81a784edca1bceb935 or domain_id:363ab68785c24c81a784edca1bceb935",
> "cloud_admin": "role:admin and (token.is_admin_project:True or rule:bob)",

I did notice this comment on Bug #1451987 *2:

If you see following errors for all identity api v3 tests, then please be known that its not a a bug in tempest, rather you need to change keystone v3 policy.json and make it more relaxed so tempest can authorize with users created for each test with separate projects(tenants) because we set tenant_isolation to True in tempest.conf ...

...but I would think that policy.v3cloudsample.json represents the authoratative v3 policy from keystone and tempest tests should pass when using it.

Fwiw the keystone v3 gate tests use the old policy.json.

Regards
Liam

*1 https://github.com/openstack/keystone/blob/stable/newton/etc/policy.v3cloudsample.json
*2 https://bugs.launchpad.net/tempest/+bug/1451987/comments/2

Revision history for this message
Andrea Frittoli (andrea-frittoli) wrote :

Tempest now supports domain scoped tokens exactly for this.
Have you tried the latest tempest? Are you still experiencing this?

Revision history for this message
Andrea Frittoli (andrea-frittoli) wrote :

Marking as incomplete until new input is received.

Changed in tempest:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for tempest because there has been no activity for 60 days.]

Changed in tempest:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.