In RHOSP 17.1 GA, the DNS service (designate) is misconfigured when secure role-based access control (sRBAC) is enabled. The current sRBAC policies contain incorrect rules for designate and must be corrected for designate to function correctly. A possible workaround is to apply the following patch on the undercloud server and redeploy the overcloud:
+
https://review.opendev.org/c/openstack/tripleo-heat-templates/+/888159
Hi Brent,
Thanks for doing this. I've corrected a few nits in the new Doc Text.
I will yank BZ 2214328 from the RHOSP 17.1.0 Release Notes, and replace that BZ
with BZ 2219603 and its Doc Text.
Thanks,
--Greg
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1.1 (Wallaby)), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2023:5138
I've run the Designate SRBAC job [1] with the configuration we've used to run the RBAC test [2]. we have 14 tests that still fail [3], and most of them get this traceback. Traceback (most recent call last): File "/home/stack/plugins/designate-tempest-plugin/designate_tempest_plugin/tests/api/v2/test_recordset.py", line 509, in test_admin_list_all_recordsets_for_a_project item['id'] for item in self.admin_client.list_recordset( File "/home/stack/plugins/designate-tempest-plugin/designate_tempest_plugin/services/dns/json/base.py", line 39, in wrapper return f(*args, **kwargs) File "/home/stack/plugins/designate-tempest-plugin/designate_tempest_plugin/services/dns/v2/json/recordset_client.py", line 150, in list_recordset return self._list_request( File "/home/stack/plugins/designate-tempest-plugin/designate_tempest_plugin/services/dns/json/base.py", line 187, in _list_request resp, body = self.get(uri, headers=headers) File "/home/stack/.virtualenvs/.tempest/lib64/python3.9/site-packages/tempest/lib/common/rest_client.py", line 322, in get return self.request('GET', url, extra_headers, headers, File "/home/stack/.virtualenvs/.tempest/lib64/python3.9/site-packages/tempest/lib/common/rest_client.py", line 742, in request self._error_checker(resp, resp_body) File "/home/stack/.virtualenvs/.tempest/lib64/python3.9/site-packages/tempest/lib/common/rest_client.py", line 847, in _error_checker raise exceptions.Forbidden(resp_body, resp=resp) tempest.lib.exceptions.Forbidden: Forbidden Details: {'code': 403, 'type': 'forbidden', 'request_id': 'req-a5977a6a-2324-410b-beb4-23c86269fa26'} [1]- https://rhos-ci-staging-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/network/view/openstack-designate/job/DFG-network-openstack-designate-17.1_director-rhel-virthost-3cont_2comp-ipv4-geneve-srbac/32/ [2]- http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/staging/DFG-network-openstack-designate-17.1_director-rhel-virthost-3cont_2comp-ipv4-geneve-srbac/32/undercloud-0/home/stack/tempest-dir/etc/tempest.conf.gz [3]- http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/staging/DFG-network-openstack-designate-17.1_director-rhel-virthost-3cont_2comp-ipv4-geneve-srbac/32/test_results/tempest-results-designate.1.html