tripleo

Error when polling swift resources

Bug #1987273 reported by Yadnesh Kulkarni
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
tripleo
Fix Released
Medium
Yadnesh Kulkarni
tripleo zed-1

Bug Description

Swift client forbids ceilometer user to access swift objects
~~~
2022-08-22 09:20:30.676 14 INFO ceilometer.polling.manager [-] Polling pollster storage.objects.size in the context of some_pollsters
2022-08-22 09:20:30.681 14 INFO swiftclient [-] REQ: curl -i None -I -H "X-Auth-Token: gAAAAABjA0pe6TRM..."
2022-08-22 09:20:30.681 14 INFO swiftclient [-] RESP STATUS: 403 Forbidden
2022-08-22 09:20:30.681 14 INFO swiftclient [-] RESP HEADERS: {'content-type': 'text/html; charset=UTF-8', 'content-length': '0', 'x-trans-id': 'txd21a836454fd4370afb50-0063034a5e', 'x-openstack-request-id': 'txd21a836454fd4370afb50-0063034a5e', 'date': 'Mon, 22 Aug 2022 09:20:30 GMT'}
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager [-] Continue after error from storage.objects.size: Account HEAD failed: http://10.0.78.28:8080/v1/AUTH_e0cb95b1bd6e45c68dc237b61ac741f5 403 Forbidden (txn: txd21a836454fd4370afb50-0063034a5e): swiftclient.exceptions.ClientException: Account HEAD failed: http://10.0.78.28:8080/v1/AUTH_e0cb95b1bd6e45c68dc237b61ac741f5 403 Forbidden (txn: txd21a836454fd4370afb50-0063034a5e)
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager Traceback (most recent call last):
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager File "/usr/lib/python3.9/site-packages/ceilometer/polling/manager.py", line 194, in poll_and_notify
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager for sample in samples:
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager File "/usr/lib/python3.9/site-packages/ceilometer/objectstore/swift.py", line 132, in get_samples
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager for tenant, account in self._iter_accounts(manager.keystone,
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager File "/usr/lib/python3.9/site-packages/ceilometer/objectstore/swift.py", line 77, in _iter_accounts
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager cache[self.CACHE_KEY_METHOD] = list(self._get_account_info(
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager File "/usr/lib/python3.9/site-packages/ceilometer/objectstore/swift.py", line 101, in _get_account_info
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager raise e
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager File "/usr/lib/python3.9/site-packages/ceilometer/objectstore/swift.py", line 93, in _get_account_info
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager yield (t.id, swift_api_method(
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager File "/usr/lib/python3.9/site-packages/swiftclient/client.py", line 878, in head_account
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager raise ClientException.from_response(resp, 'Account HEAD failed', body)
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager swiftclient.exceptions.ClientException: Account HEAD failed: http://10.0.78.28:8080/v1/AUTH_e0cb95b1bd6e45c68dc237b61ac741f5 403 Forbidden (txn: txd21a836454fd4370afb50-0063034a5e)
2022-08-22 09:20:30.682 14 ERROR ceilometer.polling.manager
~~~

Assigning "ResellerAdmin" role to ceilometer user fixes it
~~~
openstack role add --user ceilometer --project service ResellerAdmin
~~~

Revision history for this message
Takashi Kajinami (kajinamit) wrote :

The issue is not related to the core ceilometer but the deployment tooling which does not assign the required roles, so I've moved this to tripleo.

affects: ceilometer → tripleo
Changed in tripleo:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Yadnesh Kulkarni (ykulkarn)
milestone: none → zed-1
tags: added: train-backport-potential wallaby-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (master)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/854033
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/e9c9478f3afbcee9c5abdfa6dcff302aca5b76f5
Submitter: "Zuul (22348)"
Branch: master

commit e9c9478f3afbcee9c5abdfa6dcff302aca5b76f5
Author: Yadnesh Kulkarni <email address hidden>
Date: Mon Aug 22 13:32:59 2022 +0000

    Add 'ResellerAdmin' role to ceilometer user

    'ResellerAdmin' operator role allows 'ceilometer' user to access
    objects from all swift accounts(AUTH_*).

    Closes-Bug: #1987273

    Signed-off-by: Yadnesh Kulkarni <email address hidden>
    Change-Id: I5e0a0770726ade5208bc1945a1e8ae42fd185494

Changed in tripleo:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/856491

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tripleo-heat-templates (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/856575

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tripleo-heat-templates (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/856491
Committed: https://opendev.org/openstack/tripleo-heat-templates/commit/6c892d72346c6b039b908433c2ddc783006e3aad
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 6c892d72346c6b039b908433c2ddc783006e3aad
Author: Yadnesh Kulkarni <email address hidden>
Date: Mon Aug 22 13:32:59 2022 +0000

    Add 'ResellerAdmin' role to ceilometer user

    'ResellerAdmin' operator role allows 'ceilometer' user to access
    objects from all swift accounts(AUTH_*).

    Closes-Bug: #1987273

    Signed-off-by: Yadnesh Kulkarni <email address hidden>
    Change-Id: I5e0a0770726ade5208bc1945a1e8ae42fd185494
    (cherry picked from commit e9c9478f3afbcee9c5abdfa6dcff302aca5b76f5)

tags: added: in-stable-wallaby
Revision history for this message
Yadnesh Kulkarni (ykulkarn) wrote :

In Train release, ResellerAdmin role was found missing when deploying swift.

https://review.opendev.org/c/openstack/tripleo-heat-templates/+/857864 ensures that this role is present before we associate ceilometer user to it. Fix is also backported to wallaby and train releases.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on tripleo-heat-templates (stable/train)

Change abandoned by "Yadnesh Kulkarni <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-heat-templates/+/856575
Reason: I have merged these changes to https://review.opendev.org/c/openstack/tripleo-heat-templates/+/857866

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/tripleo-heat-templates 17.0.0

This issue was fixed in the openstack/tripleo-heat-templates 17.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.