Bug 1725896 - Barbican missing key-manager:service-admin role
Summary: Barbican missing key-manager:service-admin role
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-tripleo
Version: 15.0 (Stein)
Hardware: x86_64
OS: Linux
high
high
Target Milestone: z2
: 15.0 (Stein)
Assignee: Harry Rybacki
QA Contact: nlevinki
URL:
Whiteboard: DFG:Security
Depends On: 1739111
Blocks: 1739113 1739114
TreeView+ depends on / blocked
 
Reported: 2019-07-01 16:59 UTC by Pavan
Modified: 2022-06-06 11:37 UTC (History)
7 users (show)

Fixed In Version: puppet-tripleo-10.5.2-0.20190916110513.2784518.el8ost
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1739111 1739113 (view as bug list)
Environment:
Last Closed: 2020-03-05 11:59:10 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
barbican_api_tests_logs (20.00 KB, text/plain)
2019-07-01 17:04 UTC, Pavan
no flags Details


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 675131 0 'None' MERGED Ensure Barbican required roles are created by Keystone 2020-02-17 17:06:29 UTC
Red Hat Issue Tracker OSP-15547 0 None None None 2022-06-06 11:37:20 UTC
Red Hat Product Errata RHBA-2020:0643 0 None None None 2020-03-05 11:59:48 UTC

Description Pavan 2019-07-01 16:59:48 UTC
Description of problem:

Deploying OSP-15 with barbican and executing barbican tempest API test fail with error No "key-manager:service-admin" role found'
 

Details: 

There is an upstream bug and patch which is not cloned downstream.

https://bugs.launchpad.net/kolla-ansible/+bug/1657742


Version-Release number of selected component (if applicable):
RHOS_TRUNK-15.0-RHEL-8-20190627.n.0


How reproducible:
Deploy OSP-15 with Barbican. Use the following TripleO Heat Templates and parameters.

---
tripleo_heat_templates:
    - /usr/share/openstack-tripleo-heat-templates/environments/services/barbican.yaml
    - /usr/share/openstack-tripleo-heat-templates/environments/barbican-backend-simple-crypto.yaml
 
custom_templates:
    parameter_defaults:
        BarbicanSimpleCryptoGlobalDefault: true
        SwiftEncryptionEnabled: true
        ComputeExtraConfig:
            nova::glance::verify_glance_signatures: true


Steps to Reproduce:
1. Install tempest packages and configure the tempest.conf as shown below

discover-tempest-config --out etc/tempest.conf \
--deployer-input ~/tempest-deployer-input.conf \
--debug --create \
identity.uri $OS_AUTH_URL \
auth.admin_password $OS_PASSWORD \
auth.admin_username $OS_USERNAME \
auth.use_dynamic_credentials true \
compute-feature-enabled.attach_encrypted_volume true \
glance.verify_glance_signatures True \
ephemeral_storage_encryption.enabled True \
auth.tempest_roles creator \
compute-feature-enabled.attach_encrypted_volume True \
auth.use_dynamic_credentials True
 
Make sure you have: auth.tempest_roles creator set in tempest.conf

2. Execute barbican tempest tests with following regex

tempest run --regex ^barbican_tempest_plugin.tests.api


Actual results:

Captured traceback:
~~~~~~~~~~~~~~~~~~~
    b'Traceback (most recent call last):'
    b'  File "/usr/lib/python3.6/site-packages/tempest/test.py", line 173, in setUpClass'
    b'    six.reraise(etype, value, trace)'
    b'  File "/usr/lib/python3.6/site-packages/six.py", line 675, in reraise'
    b'    raise value'
    b'  File "/usr/lib/python3.6/site-packages/tempest/test.py", line 158, in setUpClass'
    b'    cls.setup_credentials()'
    b'  File "/usr/lib/python3.6/site-packages/tempest/test.py", line 407, in setup_credentials'
    b'    force_new=True)'
    b'  File "/usr/lib/python3.6/site-packages/tempest/test.py", line 678, in get_client_manager'
    b'    creds = cred_provider.get_creds_by_roles(**params)'
    b'  File "/usr/lib/python3.6/site-packages/tempest/lib/common/dynamic_creds.py", line 373, in get_creds_by_roles'
    b'    return self.get_credentials(roles)'
    b'  File "/usr/lib/python3.6/site-packages/tempest/lib/common/dynamic_creds.py", line 338, in get_credentials'
    b'    credentials = self._create_creds(roles=credential_type)'
    b'  File "/usr/lib/python3.6/site-packages/tempest/lib/common/dynamic_creds.py", line 203, in _create_creds'
    b'    self.creds_client.assign_user_role(user, project, role)'
    b'  File "/usr/lib/python3.6/site-packages/tempest/lib/common/cred_client.py", line 76, in assign_user_role'
    b'    raise lib_exc.NotFound(msg)'
    b'tempest.lib.exceptions.NotFound: Object not found'
    b'Details: No "key-manager:service-admin" role found'
    b''



Expected results:

All tests pass


Additional info: https://github.com/openstack/barbican-tempest-plugin/tree/master/barbican_tempest_plugin/tests/api

Comment 1 Pavan 2019-07-01 17:04:55 UTC
Created attachment 1586385 [details]
barbican_api_tests_logs

Adding full barbican API test logs

Comment 3 Raildo Mascena de Sousa Filho 2019-07-05 18:01:44 UTC
Based on a discussion with DFG:DF, this looks to be the kolla-ansible related issue. So, we need to find the related tripleo code or is in the wrong layer and fix got into the wrong place. In other words, the current fix https://review.opendev.org/#/c/581419/ is part of openstack-ansible, and we don't ship that project and anyway, it's used only to setup the environment, we need to find a way to push this for Tripleo to make this part of the Director deployment.

Comment 4 Harry Rybacki 2019-08-20 17:03:36 UTC
Adding upstream review of cherry-pick from master.

Targeting Z1 as this not make it in prior to GA per release schedules.

Comment 5 Harry Rybacki 2019-08-26 13:31:03 UTC
Upstream review has merged. Moving RHBZ to POST.

Comment 6 Harry Rybacki 2019-09-16 15:05:22 UTC
Found the fix made its way into one of the builds by automation. Updating FIV and moving RHBZ to MODIFIED.

Comment 7 Shelley Dunne 2019-09-19 18:29:45 UTC
Re-setting Target Milestone z1 to --- to begin the 15z1 Maintenance Release.

Comment 12 Alex McLeod 2020-02-19 12:48:36 UTC
If this bug requires doc text for errata release, please set the 'Doc Type' and provide draft text according to the template in the 'Doc Text' field. The documentation team will review, edit, and approve the text.

If this bug does not require doc text, please set the 'requires_doc_text' flag to '-'.

Comment 14 errata-xmlrpc 2020-03-05 11:59:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0643


Note You need to log in before you can comment on or make changes to this bug.