Bug 1577635 - Incorporate policy.json in order to bypass Octavia API RBAC
Summary: Incorporate policy.json in order to bypass Octavia API RBAC
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-octavia
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 13.0 (Queens)
Assignee: Nir Magnezi
QA Contact: Alexander Stafeyev
Depends On: 1577652
Blocks: 1433523
TreeView+ depends on / blocked
Reported: 2018-05-13 16:31 UTC by Nir Magnezi
Modified: 2019-09-10 14:12 UTC (History)
8 users (show)

Fixed In Version: openstack-octavia-2.0.1-5.el7ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-06-27 13:56:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
RDO 13760 0 None None None 2018-05-13 16:38:33 UTC
Red Hat Product Errata RHEA-2018:2086 0 None None None 2018-06-27 13:57:37 UTC

Comment 10 Nir Magnezi 2018-05-17 09:14:26 UTC
Hi Alex,

Manually creating a loadbalancer (when policy.json is in its place) worked as expected.

The problem lays in the tempest plugin config you used:
Looking at the traceback you posted in comment #9, it shows that the issue it is failing at is on is with the setUpClass and specifically at setup_credentials()[1]. This is using the default credentials list[2] for the setup process.

Those defaults assume values that fit Octavia RBAC[3] which we currently don't use[4]. Thus, you should configure the roles tempest will use to match the policy.json[5] file we use.

This should look as follows:

member_role = _member_
admin_role = admin


[1] https://github.com/openstack/octavia-tempest-plugin/blob/008dbec2ad45c6c68ae278a3f433cea1c754eece/octavia_tempest_plugin/tests/test_base.py#L85
[2] https://github.com/openstack/octavia-tempest-plugin/blob/008dbec2ad45c6c68ae278a3f433cea1c754eece/octavia_tempest_plugin/tests/test_base.py#L46
[3] https://docs.openstack.org/octavia/latest/configuration/policy.html
[4] https://review.rdoproject.org/r/#/c/13767/
[5] https://github.com/openstack/octavia/blob/master/etc/policy/admin_or_owner-policy.json

Comment 13 errata-xmlrpc 2018-06-27 13:56:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.