Bug 1565039

Summary: Unable to create encrypted volume with barbican - Order creation attempt not allowed
Product: Red Hat OpenStack Reporter: bkopilov <bkopilov>
Component: openstack-barbicanAssignee: Ade Lee <alee>
Status: CLOSED DUPLICATE QA Contact: Pavan <pkesavar>
Severity: urgent Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: aavraham, abishop, eharney, hrybacki, kbasil, nkinder, pkesavar, tshefi
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-09 20:36:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1566724, 1664428, 1664429    
Bug Blocks:    

Description bkopilov 2018-04-09 08:39:11 UTC 
Description of problem:
Openstack on virsh  , 1 controller, 1 compute and 1 ceph node
Tempest trying to create an encrypted volume , fixed_key was working.

Having issue with policy pemission.
Can we force in barbican default policy to support order_creation ??
What about policy.json file with rules ?


Trying to run tempest code (downstream) ,
When trying to create a volume  , barbican main.log message:

2018-04-09 08:13:53.222 21 DEBUG barbican.api.controllers.quotas [-] === Creating ProjectsQuotaController === __init__ /usr/lib/python2.7/site-packages/barbican/api/controllers/quotas.py:117
2018-04-09 08:13:53.222 21 DEBUG barbican.api.controllers.secretstores [-] Creating SecretStoresController __init__ /usr/lib/python2.7/site-packages/barbican/api/controllers/secretstores.py:131
2018-04-09 08:13:53.224 21 INFO barbican.api.app [-] Barbican app created and initialized
2018-04-09 08:13:53.228 21 WARNING keystonemiddleware._common.config [-] The option "__file__" in conf is not known to auth_token
2018-04-09 08:13:53.229 21 WARNING keystonemiddleware._common.config [-] The option "here" in conf is not known to auth_token
2018-04-09 08:13:53.230 21 WARNING keystonemiddleware.auth_token [-] AuthToken middleware is set with keystone_authtoken.service_token_roles_required set to False. This is backwards compatible but deprecated beh
aviour. Please set this to True.
2018-04-09 08:13:53.233 21 WARNING oslo_config.cfg [-] Option "auth_uri" from group "keystone_authtoken" is deprecated. Use option "www_authenticate_uri" from group "keystone_authtoken".
2018-04-09 08:13:53.239 21 DEBUG barbican.api.controllers.versions [-] === Creating VersionsController === __init__ /usr/lib/python2.7/site-packages/barbican/api/controllers/versions.py:121
2018-04-09 08:14:18.399 27 WARNING keystonemiddleware.auth_token [-] Using the in-process token cache is deprecated as of the 4.2.0 release and may be removed in the 5.0.0 release or the 'O' development cycle. T
he in-process cache causes inconsistent results and high memory usage. When the feature is removed the auth_token middleware will not cache tokens by default which may result in performance issues. It is recomme
nded to use  memcache for the auth_token token cache by setting the memcached_servers option.
2018-04-09 08:14:19.226 27 DEBUG oslo_policy.policy [-] The policy file /etc/barbican/policy.json could not be found. load_rules /usr/lib/python2.7/site-packages/oslo_policy/policy.py:548
2018-04-09 08:14:19.233 27 ERROR barbican.api.controllers [req-c4093da4-1296-450c-beae-953e3eb1e991 8325cbdefc7e491a95a60670c16d273a - - default default] Order creation attempt not allowed - please review your u
ser/project privileges: PolicyNotAuthorized: orders:post is disallowed by policy
2018-04-09 08:14:19.235 27 INFO barbican.api.middleware.context [req-c4093da4-1296-450c-beae-953e3eb1e991 8325cbdefc7e491a95a60670c16d273a - - default default] Processed request: 403 Forbidden - POST http://172.
17.1.16:9311/v1/orders/
2018-04-09 08:14:21.840 25 WARNING keystonemiddleware.auth_token [-] Using the in-process token cache is deprecated as of the 4.2.0 release and may be removed in the 5.0.0 release or the 'O' development cycle. T
he in-process cache causes inconsistent results and high memory usage. When the feature is removed the auth_token middleware will not cache tokens by default which may result in performance issues. It is recomme
nded to use  memcache for the auth_token token cache by setting the memcached_servers option.





Version-Release number of selected component (if applicable):


How reproducible:
Run tempest code (downstream) and try to create volume with none admin user.



Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Alan Bishop 2018-04-09 13:50:32 UTC 
Where are the log files?
Comment 2 Eric Harney 2018-04-09 15:01:37 UTC 
> 2018-04-09 08:14:19.233 27 ERROR barbican.api.controllers [req-c4093da4-1296-450c-beae-953e3eb1e991 8325cbdefc7e491a95a60670c16d273a - - default default] Order creation attempt not allowed - please review your u
ser/project privileges: PolicyNotAuthorized: orders:post is disallowed by policy

This happens if the request to Barbican to create the key is made by a user that isn't in the creator role.
Comment 3 Ade Lee 2018-04-09 20:09:43 UTC 
Yes, this definitely sounds like the user not having the creator role.
Comment 4 Avi Avraham 2018-04-10 11:59:53 UTC 
(In reply to Ade Lee from comment #3)
> Yes, this definitely sounds like the user not having the creator role.

Is it a configuration needed to be done in tripleO during the barbican installation or part of project configuration?
Comment 5 bkopilov 2018-04-10 13:20:44 UTC 
Hi all , 

I just installed devstack with barbican , Looks like redhat installer should install as devstack with prepared roles .

[stack@localhost ~]$ openstack role list
+----------------------------------+---------------------------+
| ID                               | Name                      |
+----------------------------------+---------------------------+
| 0f515ce019fe4144bba109a834df4752 | observer                  |
| 269c25ca337b4c0aa322ebda20b3ad7c | admin                     |
| 278a91beda464af19cd068502592972f | service                   |
| 770c909071cc446a9bd0d5156f9fa913 | creator                   |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_                  |
| a3eea10c8998431fb1d24ba5d32ee300 | anotherrole               |
| c656cac112e44ef9a253d303659ca242 | Member                    |
| cc11bfa9b8094080a8630ebd7a8a38ff | audit                     |
| f4d91c39792147e998e3affe20766a24 | ResellerAdmin             |
| fd827c52074f4d9997128ffb89a3ea78 | key-manager:service-admin |
+----------------------------------+---------------------------+


if rhos installer will not install barbican properly , we will be blocked in our testing.
Comment 6 Alan Bishop 2018-04-10 13:42:56 UTC 
Well, devstack has the luxury of performing any amount of post-deployment setup operations. There are a number of day-1 operations that OSP expects the Admin to perform that are not considered part of the TripleO deployment, so we need to be careful when comparing TripleO and devstack deployments. The question is, what does the OSP documentation for Barbican say?
Comment 11 Tzach Shefi 2018-04-29 08:01:11 UTC 
Till this is incorporated we have a workaround, on undercloud from admin user:

#openstack role create creator
#openstack role add --user demo creator  --project demo 

Where demo is user name and project name in my case. 
Unset blocker flags.
Comment 15 Nathan Kinder 2019-01-09 20:36:18 UTC 

*** This bug has been marked as a duplicate of bug 1664429 ***