Bug 2065282

Summary: Secure RBAC, invalid YAML syntax in enable-secure-rbac.yaml file crashes overcloud when redeployed
Product: Red Hat OpenStack Reporter: Omer Schwartz <oschwart>
Component: puppet-openstacklibAssignee: Douglas Mendizábal <dmendiza>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 17.0 (Wallaby)CC: bbonguar, bdobreli, cjeanner, dmendiza, elicohen, jhakimra, jjoyce, jschluet, mburns, slinaber, tkajinam, tvignaud
Target Milestone: betaKeywords: TestBlocker, Triaged
Target Release: 17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: puppet-openstacklib-18.5.1-0.20220416002854.358e2a4.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-21 12:19:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1901686, 2124617    

Description Omer Schwartz 2022-03-17 15:16:49 UTC 
Description of problem:
Invalid YAML syntax crashes overcloud redeployment.

This patch https://review.opendev.org/c/openstack/tripleo-heat-templates/+/818629 added some lines, that when being concatenated in policy.yaml file, returns the following error:
  File "/usr/lib/python3.6/site-packages/oslo_policy/policy.py", line 413, in parse_file_contents
    raise ValueError(str(e))
ValueError: while parsing a block mapping
  in "<unicode string>", line 1, column 1:
    'add_image': 'role:admin or (rol ... 
    ^   
expected <block end>, but found '<scalar>'
  in "<unicode string>", line 22, column 110:
     ... or project_id:%(member_id)s or 'community':%(visibility)s or 'pu ... 

See https://bugzilla.redhat.com/show_bug.cgi?id=2064290



Running yamllint on the policy_file=/etc/glance/policy.yaml file, I get:
yamllint policy.yaml 
policy.yaml
  1:1       warning  missing document start "---"  (document-start)
  1:81      error    line too long (97 > 80 characters)  (line-length)
  22:81     error    line too long (191 > 80 characters)  (line-length)
  23:81     error    line too long (186 > 80 characters)  (line-length)
  24:81     error    line too long (81 > 80 characters)  (line-length)
  26:81     error    line too long (101 > 80 characters)  (line-length)
  27:81     error    line too long (102 > 80 characters)  (line-length)
  28:81     error    line too long (113 > 80 characters)  (line-length)
  29:81     error    line too long (85 > 80 characters)  (line-length)
  30:81     error    line too long (110 > 80 characters)  (line-length)
  31:81     error    line too long (111 > 80 characters)  (line-length)
  32:81     error    line too long (114 > 80 characters)  (line-length)
  33:81     error    line too long (112 > 80 characters)  (line-length)
  34:81     error    line too long (117 > 80 characters)  (line-length)
  35:81     error    line too long (107 > 80 characters)  (line-length)
  36:81     error    line too long (108 > 80 characters)  (line-length)
  39:81     error    line too long (119 > 80 characters)  (line-length)
  54:81     error    line too long (81 > 80 characters)  (line-length)
  22:110    error    syntax error: expected <block end>, but found '<scalar>' (syntax)

^^^^^^^^
Which happened because of this line https://review.opendev.org/c/openstack/tripleo-heat-templates/+/818629/1/environments/enable-secure-rbac.yaml#1530

The invalid line in policy.yaml was
'download_image': 'role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))'

Note: the usage of single comma (') repeats in many more lines.



This bug prevents applying the new Secure RBAC policy in OSP17, TripleO.

Version-Release number of selected component (if applicable):
[stack@undercloud-0 ~]$ cat /etc/rhosp-release 
Red Hat OpenStack Platform release 17.0.0 Beta (Ussuri)

How reproducible:
100%

Steps to Reproduce:
1. Deploy OSP17, TripleO with Octavia
2. Add /home/stack/overcloud-deploy/overcloud/tripleo-heat-templates/environments/enable-secure-rbac.yaml to /home/stack/overcloud_deploy.sh
3. Redeploy /home/stack/overcloud_deploy.sh 

Actual results:
The deployment failed when trying to upload amphora image to glance, because of the error mentioned above.

Expected results:
The deployment pass.
Comment 1 Takashi Kajinami 2022-03-17 16:46:16 UTC 
We might need to consider better formatting logic in puppet-openstacklib
 https://github.com/openstack/puppet-openstacklib/blob/master/manifests/policy/base.pp#L88

In the past we tried augeas but failed because it does not support current structure of policy yaml.
(augeas works properly only when an aditional top level key exists)
Comment 2 Takashi Kajinami 2022-03-17 17:10:34 UTC 
(In reply to Takashi Kajinami from comment #1)
> We might need to consider better formatting logic in puppet-openstacklib
>  https://github.com/openstack/puppet-openstacklib/blob/master/manifests/
> policy/base.pp#L88
> 
> In the past we tried augeas but failed because it does not support current
> structure of policy yaml.
> (augeas works properly only when an aditional top level key exists)

Reported a bug for puppet-openstacklib.
https://bugs.launchpad.net/puppet-openstacklib/+bug/1965338
Comment 4 Yaniv Kaul 2022-05-18 11:40:01 UTC 
Any idea why the BZ is still on POST? The upstream issue (https://bugs.launchpad.net/puppet-openstacklib/+bug/1965338) seem to be resolved - is this waiting for backport?
(asking mainly because it's a test blocker)
Comment 6 Douglas Mendizábal 2022-06-14 19:21:18 UTC 
Hi Yaniv,  it looks like this was moved to MODIFIED already by Jon.
Comment 14 errata-xmlrpc 2022-09-21 12:19:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543
Comment 15 Red Hat Bugzilla 2023-09-18 04:33:41 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days