Bug 1565039 - Unable to create encrypted volume with barbican - Order creation attempt not allowed
Summary: Unable to create encrypted volume with barbican - Order creation attempt not ...
Keywords:
Status: CLOSED DUPLICATE of bug 1664429
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-barbican
Version: 13.0 (Queens)
Hardware: x86_64
OS: Linux
medium
urgent
Target Milestone: ---
: 13.0 (Queens)
Assignee: Ade Lee
QA Contact: Pavan
URL:
Whiteboard:
Depends On: 1566724 1664428 1664429
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-09 08:39 UTC by bkopilov
Modified: 2019-01-09 20:36 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-09 20:36:18 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description bkopilov 2018-04-09 08:39:11 UTC
Description of problem:
Openstack on virsh  , 1 controller, 1 compute and 1 ceph node
Tempest trying to create an encrypted volume , fixed_key was working.

Having issue with policy pemission.
Can we force in barbican default policy to support order_creation ??
What about policy.json file with rules ?


Trying to run tempest code (downstream) ,
When trying to create a volume  , barbican main.log message:

2018-04-09 08:13:53.222 21 DEBUG barbican.api.controllers.quotas [-] === Creating ProjectsQuotaController === __init__ /usr/lib/python2.7/site-packages/barbican/api/controllers/quotas.py:117
2018-04-09 08:13:53.222 21 DEBUG barbican.api.controllers.secretstores [-] Creating SecretStoresController __init__ /usr/lib/python2.7/site-packages/barbican/api/controllers/secretstores.py:131
2018-04-09 08:13:53.224 21 INFO barbican.api.app [-] Barbican app created and initialized
2018-04-09 08:13:53.228 21 WARNING keystonemiddleware._common.config [-] The option "__file__" in conf is not known to auth_token
2018-04-09 08:13:53.229 21 WARNING keystonemiddleware._common.config [-] The option "here" in conf is not known to auth_token
2018-04-09 08:13:53.230 21 WARNING keystonemiddleware.auth_token [-] AuthToken middleware is set with keystone_authtoken.service_token_roles_required set to False. This is backwards compatible but deprecated beh
aviour. Please set this to True.
2018-04-09 08:13:53.233 21 WARNING oslo_config.cfg [-] Option "auth_uri" from group "keystone_authtoken" is deprecated. Use option "www_authenticate_uri" from group "keystone_authtoken".
2018-04-09 08:13:53.239 21 DEBUG barbican.api.controllers.versions [-] === Creating VersionsController === __init__ /usr/lib/python2.7/site-packages/barbican/api/controllers/versions.py:121
2018-04-09 08:14:18.399 27 WARNING keystonemiddleware.auth_token [-] Using the in-process token cache is deprecated as of the 4.2.0 release and may be removed in the 5.0.0 release or the 'O' development cycle. T
he in-process cache causes inconsistent results and high memory usage. When the feature is removed the auth_token middleware will not cache tokens by default which may result in performance issues. It is recomme
nded to use  memcache for the auth_token token cache by setting the memcached_servers option.
2018-04-09 08:14:19.226 27 DEBUG oslo_policy.policy [-] The policy file /etc/barbican/policy.json could not be found. load_rules /usr/lib/python2.7/site-packages/oslo_policy/policy.py:548
2018-04-09 08:14:19.233 27 ERROR barbican.api.controllers [req-c4093da4-1296-450c-beae-953e3eb1e991 8325cbdefc7e491a95a60670c16d273a - - default default] Order creation attempt not allowed - please review your u
ser/project privileges: PolicyNotAuthorized: orders:post is disallowed by policy
2018-04-09 08:14:19.235 27 INFO barbican.api.middleware.context [req-c4093da4-1296-450c-beae-953e3eb1e991 8325cbdefc7e491a95a60670c16d273a - - default default] Processed request: 403 Forbidden - POST http://172.
17.1.16:9311/v1/orders/
2018-04-09 08:14:21.840 25 WARNING keystonemiddleware.auth_token [-] Using the in-process token cache is deprecated as of the 4.2.0 release and may be removed in the 5.0.0 release or the 'O' development cycle. T
he in-process cache causes inconsistent results and high memory usage. When the feature is removed the auth_token middleware will not cache tokens by default which may result in performance issues. It is recomme
nded to use  memcache for the auth_token token cache by setting the memcached_servers option.





Version-Release number of selected component (if applicable):


How reproducible:
Run tempest code (downstream) and try to create volume with none admin user.



Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Alan Bishop 2018-04-09 13:50:32 UTC
Where are the log files?

Comment 2 Eric Harney 2018-04-09 15:01:37 UTC
> 2018-04-09 08:14:19.233 27 ERROR barbican.api.controllers [req-c4093da4-1296-450c-beae-953e3eb1e991 8325cbdefc7e491a95a60670c16d273a - - default default] Order creation attempt not allowed - please review your u
ser/project privileges: PolicyNotAuthorized: orders:post is disallowed by policy

This happens if the request to Barbican to create the key is made by a user that isn't in the creator role.

Comment 3 Ade Lee 2018-04-09 20:09:43 UTC
Yes, this definitely sounds like the user not having the creator role.

Comment 4 Avi Avraham 2018-04-10 11:59:53 UTC
(In reply to Ade Lee from comment #3)
> Yes, this definitely sounds like the user not having the creator role.

Is it a configuration needed to be done in tripleO during the barbican installation or part of project configuration?

Comment 5 bkopilov 2018-04-10 13:20:44 UTC
Hi all , 

I just installed devstack with barbican , Looks like redhat installer should install as devstack with prepared roles .

[stack@localhost ~]$ openstack role list
+----------------------------------+---------------------------+
| ID                               | Name                      |
+----------------------------------+---------------------------+
| 0f515ce019fe4144bba109a834df4752 | observer                  |
| 269c25ca337b4c0aa322ebda20b3ad7c | admin                     |
| 278a91beda464af19cd068502592972f | service                   |
| 770c909071cc446a9bd0d5156f9fa913 | creator                   |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_                  |
| a3eea10c8998431fb1d24ba5d32ee300 | anotherrole               |
| c656cac112e44ef9a253d303659ca242 | Member                    |
| cc11bfa9b8094080a8630ebd7a8a38ff | audit                     |
| f4d91c39792147e998e3affe20766a24 | ResellerAdmin             |
| fd827c52074f4d9997128ffb89a3ea78 | key-manager:service-admin |
+----------------------------------+---------------------------+


if rhos installer will not install barbican properly , we will be blocked in our testing.

Comment 6 Alan Bishop 2018-04-10 13:42:56 UTC
Well, devstack has the luxury of performing any amount of post-deployment setup operations. There are a number of day-1 operations that OSP expects the Admin to perform that are not considered part of the TripleO deployment, so we need to be careful when comparing TripleO and devstack deployments. The question is, what does the OSP documentation for Barbican say?

Comment 11 Tzach Shefi 2018-04-29 08:01:11 UTC
Till this is incorporated we have a workaround, on undercloud from admin user:

#openstack role create creator
#openstack role add --user demo creator  --project demo 

Where demo is user name and project name in my case. 
Unset blocker flags.

Comment 15 Nathan Kinder 2019-01-09 20:36:18 UTC

*** This bug has been marked as a duplicate of bug 1664429 ***


Note You need to log in before you can comment on or make changes to this bug.