Bug 1669214
Summary: | RGW - Tempest test: AccountQuotasNegativeTest.test_user_modify_quota fails with 403 | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | David Paterson <david_paterson> |
Component: | openstack-tripleo-heat-templates | Assignee: | Giulio Fidente <gfidente> |
Status: | CLOSED ERRATA | QA Contact: | Eliad Cohen <elicohen> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 13.0 (Queens) | CC: | arkady_kanevsky, cdevine, chadd, christopher_dearborn, david_paterson, dcain, elicohen, gael_rehault, gfidente, jdurgin, kurt_hey, lhh, mbenjamin, mburns, morazi, nweinber, prsrivas, rajini.karthik, smanjara |
Target Milestone: | beta | Keywords: | Triaged |
Target Release: | 15.0 (Stein) | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-tripleo-heat-templates-10.5.1-0.20190701110422.889d4d4.el8ost | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-09-21 11:19:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Paterson
2019-01-24 15:57:00 UTC
Reproduced error with swift client as well, the user has Member role and created a container prior to attempting to set quota, see below: swift --debug post -H "X-Account-Meta-Quota-Bytes: 20" INFO:swiftclient:REQ: curl -i http://100.82.36.190:8080/swift/v1 -X POST -H "X-Account-Meta-Quota-Bytes: 20" -H "X-Auth-Token: gAAAAABcS3IWIRv1Z8q_F0wBKh9Ep98Cr2RdlW57gU6y0TDVFuAqSrX9WCPAopoovpY2XE6nvoQ-EsKuogmJnK6ARgukXvC_T3gcqiGNMVxg9BVP7q3z-pTwY6usuQzC4eC-9g_mDtMt-JAFfzSMR-8hWa5_T-24YFVDsaX4THItYxoFbLMjFVE" INFO:swiftclient:RESP STATUS: 403 Forbidden INFO:swiftclient:RESP HEADERS: {u'Content-Length': u'12', u'Accept-Ranges': u'bytes', u'X-Trans-Id': u'tx000000000000000006a59-005c4b7216-2eaed-default', u'Date': u'Fri, 25 Jan 2019 20:31:18 GMT', u'Content-Type': u'text/plain; charset=utf-8', u'X-Openstack-Request-Id': u'tx000000000000000006a59-005c4b7216-2eaed-default'} INFO:swiftclient:RESP BODY: AccessDenied ERROR:swiftclient.service:Account POST failed: http://100.82.36.190:8080/swift/v1 403 Forbidden AccessDenied Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/swiftclient/service.py", line 685, in post get_future_result(post) File "/usr/lib/python2.7/site-packages/swiftclient/service.py", line 230, in get_future_result res = f.result(timeout=timeout) File "/usr/lib/python2.7/site-packages/concurrent/futures/_base.py", line 429, in result return self.__get_result() File "/usr/lib/python2.7/site-packages/concurrent/futures/thread.py", line 62, in run result = self.fn(*self.args, **self.kwargs) File "/usr/lib/python2.7/site-packages/swiftclient/multithreading.py", line 187, in conn_fn return fn(*conn_args, **kwargs) File "/usr/lib/python2.7/site-packages/swiftclient/service.py", line 813, in _post_account_job return conn.post_account(headers=headers, response_dict=result) File "/usr/lib/python2.7/site-packages/swiftclient/client.py", line 1749, in post_account response_dict=response_dict) File "/usr/lib/python2.7/site-packages/swiftclient/client.py", line 1691, in _retry service_token=self.service_token, **kwargs) File "/usr/lib/python2.7/site-packages/swiftclient/client.py", line 861, in post_account raise ClientException.from_response(resp, 'Account POST failed', body) ClientException: Account POST failed: http://100.82.36.190:8080/swift/v1 403 Forbidden AccessDenied Account POST failed: http://100.82.36.190:8080/swift/v1 403 Forbidden AccessDenied Failed Transaction ID: tx000000000000000006a59-005c4b7216-2eaed-default RefStack and installed package versions: RefStack current object store policy: wget "https://refstack.openstack.org/api/v1/guidelines/2018.11/tests?target=object&type=required&alias=true&flag=false" -O 2018.11-test-list.txt RGW packages on controller librgw2.x86_64 2:12.2.4-42.el7 @rhos-13.0-signed python-rgw.x86_64 2:12.2.4-42.el7 @rhos-13.0-signed librados2.x86_64 2:12.2.4-42.el7 @rhos-13.0-signed libradosstriper1.x86_64 2:12.2.4-42.el7 @rhos-13.0-signed python-rados.x86_64 2:12.2.4-42.el7 @rhos-13.0-signed Can you confirm the user also had ResellerAdmin role set? Yes tempest.conf has ResellerAdmin role assignment for all users created. tempest_roles = _member_,Member, ResellerAdmin So the final changes in the conf files are: In rgw conf file: rgw keystone accepted admin roles = ResellerAdmin And in tempest.conf file: [auth] tempest_roles = member,Member [object-storage] reseller_admin_role = ResellerAdmin @Matt - can we ask him to re-test with these changes? Hi David, could you review the suggestion in comment #13? thanks, Matt Yes that worked with one additional change in tempest.conf you must have [object-storage-feature-enabled].discoverable_apis at least include "account_quotas" or test is skipped. In summary: tempest.conf [auth] tempest_roles = member,Member [object-storage] reseller_admin_role = ResellerAdmin [object-storage-feature-enabled] discoverable_apis = account_quotas ceph.conf on controller(s) rgw_keystone_accepted_admin_roles = ResellerAdmin Thanks! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2019:2811 |