Bug 1252545 - Unable to get cinder services list under Admin -> System -> System Information in Horizon
Unable to get cinder services list under Admin -> System -> System Informatio...
Status: CLOSED WONTFIX
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-cinder (Show other bugs)
6.0 (Juno)
Unspecified Unspecified
low Severity low
: ---
: 8.0 (Liberty)
Assigned To: Jon Bernard
nlevinki
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-11 12:20 EDT by Jon Thomas
Modified: 2017-09-25 13:01 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-06 10:47:03 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jon Thomas 2015-08-11 12:20:09 EDT
This appears to be an issue in cinder where they expect the context_is_admin to be a role. In our case, we changed this to user_id and it no longer works.
Here's the flow. When a request comes in, cinder sets up your request context here:
/cinder/context.py:73
In terms of roles (as a concept), cinder basically breaks you down into an admin role, or not an admin role. check_is_admin tries to figure out whether you're an admin or not... by checking the list of roles on your user. Nothing else. It doesn't pass your entire token along or anything. See:
/cinder/policy.py:84
So the problem is that we changed our policy to try to verify the cloud_admin by his user_id. But the user_id isn't something that's passed in to the check_is_admin method. Only your roles.

On the surface, it appears cinder handles the same situation differently than nova:

cinder/context.py
...
  if self.is_admin is None:
            self.is_admin = policy.check_is_admin(self.roles)
        elif self.is_admin and 'admin' not in self.roles:
            self.roles.append('admin')
...

cinder/policy.py
...
def check_is_admin(roles):
    """Whether or not roles contains 'admin' role according to policy setting.

    """
    init()

    # include project_id on target to avoid KeyError if context_is_admin
    # policy definition is missing, and default admin_or_owner rule
    # attempts to apply.  Since our credentials dict does not include a
    # project_id, this target can never match as a generic rule.
    target = {'project_id': ''}
    credentials = {'roles': roles}

    return _ENFORCER.enforce('context_is_admin', target, credentials)


nova/context.py
...
      if self.is_admin is None:
            self.is_admin = policy.check_is_admin(self)
...

nova/policy.py
...
def check_is_admin(context):
    """Whether or not roles contains 'admin' role according to policy setting.

    """

    init()
    # the target is user-self
    credentials = context.to_dict()
    target = credentials
    return _ENFORCER.enforce('context_is_admin', target, credentials)
Comment 3 Jack Waterworth 2015-10-05 10:55:27 EDT
customer believes this is related to this bz: https://bugzilla.redhat.com/show_bug.cgi?id=1254770
Comment 4 Jon Bernard 2015-10-19 16:47:09 EDT
Just spoke with Jack, he's going to reproduce this setup and we'll use that to test a solution.
Comment 5 Sean Cohen 2015-11-12 09:16:31 EST
(In reply to Jon Bernard from comment #4)
> Just spoke with Jack, he's going to reproduce this setup and we'll use that
> to test a solution.
Jon, any update on this one?
Sean
Comment 6 Jon Bernard 2015-11-12 09:55:44 EST
I haven't heard anything yet, but I know folks have been very busy lately.
Comment 9 Sergey Gotliv 2015-12-06 10:47:03 EST
I am closing that BZ because customer closed the case.

Note You need to log in before you can comment on or make changes to this bug.