Description of problem: Neutron error on attempt to list security group rules as a tenant. Tempest tests fail: ML2/OVN job https://rhos-qe-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/DFG/view/network/view/networking-ovn/job/DFG-network-networking-ovn-13_director-rhel-virthost-3cont_2comp-ipv4-geneve/439/testReport/ ML2/OVS job: https://rhos-qe-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/DFG/view/network/view/neutron/job/DFG-network-neutron-13_director-rhel-virthost-3cont_2comp-ipv4-vxlan/402/testReport/ Can be easily reproduced by openstack client when running as tenant user: openstack security group rule list HttpException: 500: Server Error for url: http://10.0.0.101:9696/v2.0/security-group-rules, {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}} or openstack security group rule list --debug REQ: curl -g -i -X GET http://10.0.0.101:9696/v2.0/security-group-rules -H "User-Agent: osc-lib/1.9.0 keystoneauth1/3.4.1 python-requests/2.14.2 CPython/2.7.5" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}15fa46d12777ae9121734c4e03dfe7b0bcad5189" http://10.0.0.101:9696 "GET /v2.0/security-group-rules HTTP/1.1" 500 250 RESP: [500] Content-Type: application/json Content-Length: 250 X-Openstack-Request-Id: req-ec62f297-b6c7-419c-99f9-8e820c2c2fc7 Date: Sun, 16 Feb 2020 15:31:55 GMT RESP BODY: {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}} GET call to network for http://10.0.0.101:9696/v2.0/security-group-rules used request id req-ec62f297-b6c7-419c-99f9-8e820c2c2fc7 Manager regionOne ran task network.GET.security-group-rules in 1.09681987762s HttpException: 500: Server Error for url: http://10.0.0.101:9696/v2.0/security-group-rules, {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}} Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand result = cmd.run(parsed_args) File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run return super(Command, self).run(parsed_args) File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run column_names, data = self.take_action(parsed_args) File "/usr/lib/python2.7/site-packages/openstackclient/network/common.py", line 139, in take_action parsed_args) File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/security_group_rule.py", line 544, in take_action_network for r in client.security_group_rules(**query) File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 898, in list exceptions.raise_from_response(response) File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response http_status=http_status, request_id=request_id HttpException: HttpException: 500: Server Error for url: http://10.0.0.101:9696/v2.0/security-group-rules, {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}} clean_up ListSecurityGroupRule: HttpException: 500: Server Error for url: http://10.0.0.101:9696/v2.0/security-group-rules, {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}} Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 134, in run ret_val = super(OpenStackShell, self).run(argv) File "/usr/lib/python2.7/site-packages/cliff/app.py", line 279, in run result = self.run_subcommand(remainder) File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 169, in run_subcommand ret_value = super(OpenStackShell, self).run_subcommand(argv) File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand result = cmd.run(parsed_args) File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run return super(Command, self).run(parsed_args) File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run column_names, data = self.take_action(parsed_args) File "/usr/lib/python2.7/site-packages/openstackclient/network/common.py", line 139, in take_action parsed_args) File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/security_group_rule.py", line 544, in take_action_network for r in client.security_group_rules(**query) File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 898, in list exceptions.raise_from_response(response) File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response http_status=http_status, request_id=request_id HttpException: HttpException: 500: Server Error for url: http://10.0.0.101:9696/v2.0/security-group-rules, {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}} Version-Release number of selected component (if applicable): 13.0-RHEL-7/2020-02-14.1 openstack-neutron-12.1.1-5.el7ost.noarch How reproducible: 100% Steps to Reproduce: openstack project create --domain default --description "Tenant1 Project" tenant1 openstack user create --domain default --password-prompt tenant1 - enter 'tenant1' on each prompt (you will be prompted twice) openstack role create user openstack role add --project tenant1 --user tenant1 user cp overcloudrc tenant1_rc set OS_USERNAME, OS_CLOUDNAME, OS_PASSWORD and OS_PROJECT_NAME to 'tenant_1' and source tenant1_rc openstack security group rule list --debug Actual results: Neutron error Expected results: List of security group rules returned Additional info:
Note: this is a regression, the issue did not happen on the previous OSP13 puddle 2020-02-10.8
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0770