Bug 1577635

Summary: Incorporate policy.json in order to bypass Octavia API RBAC
Product: Red Hat OpenStack Reporter: Nir Magnezi <nmagnezi>
Component: openstack-octaviaAssignee: Nir Magnezi <nmagnezi>
Status: CLOSED ERRATA QA Contact: Alexander Stafeyev <astafeye>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 13.0 (Queens)CC: amuller, bcafarel, beagles, cgoncalves, ihrachys, lpeer, majopela, nyechiel
Target Milestone: rcKeywords: Triaged
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-octavia-2.0.1-5.el7ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-27 13:56:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1577652    
Bug Blocks: 1433523    

Comment 10 Nir Magnezi 2018-05-17 09:14:26 UTC 
Hi Alex,

Manually creating a loadbalancer (when policy.json is in its place) worked as expected.

The problem lays in the tempest plugin config you used:
Looking at the traceback you posted in comment #9, it shows that the issue it is failing at is on is with the setUpClass and specifically at setup_credentials()[1]. This is using the default credentials list[2] for the setup process.

Those defaults assume values that fit Octavia RBAC[3] which we currently don't use[4]. Thus, you should configure the roles tempest will use to match the policy.json[5] file we use.

This should look as follows:

[load_balancer]
member_role = _member_
admin_role = admin

/Nir

[1] https://github.com/openstack/octavia-tempest-plugin/blob/008dbec2ad45c6c68ae278a3f433cea1c754eece/octavia_tempest_plugin/tests/test_base.py#L85
[2] https://github.com/openstack/octavia-tempest-plugin/blob/008dbec2ad45c6c68ae278a3f433cea1c754eece/octavia_tempest_plugin/tests/test_base.py#L46
[3] https://docs.openstack.org/octavia/latest/configuration/policy.html
[4] https://review.rdoproject.org/r/#/c/13767/
[5] https://github.com/openstack/octavia/blob/master/etc/policy/admin_or_owner-policy.json
Comment 13 errata-xmlrpc 2018-06-27 13:56:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:2086