Bug 1803525 - [OSP13] Regression, Neutron error on attempt to list security group rules as a tenant user
Summary: [OSP13] Regression, Neutron error on attempt to list security group rules as ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: z11
: 13.0 (Queens)
Assignee: Slawek Kaplonski
QA Contact: Candido Campos
URL:
Whiteboard:
Depends On:
Blocks: 1803253
TreeView+ depends on / blocked
 
Reported: 2020-02-16 16:09 UTC by Roman Safronov
Modified: 2020-03-10 11:27 UTC (History)
7 users (show)

Fixed In Version: openstack-neutron-12.1.1-6.el7ost
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-10 11:26:52 UTC
Target Upstream Version:
Embargoed:
ccamposr: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0770 0 None None None 2020-03-10 11:27:02 UTC

Description Roman Safronov 2020-02-16 16:09:26 UTC 
Description of problem:
Neutron error on attempt to list security group rules as a tenant.

Tempest tests fail:
ML2/OVN job
https://rhos-qe-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/DFG/view/network/view/networking-ovn/job/DFG-network-networking-ovn-13_director-rhel-virthost-3cont_2comp-ipv4-geneve/439/testReport/

ML2/OVS job:
https://rhos-qe-jenkins.rhev-ci-vms.eng.rdu2.redhat.com/view/DFG/view/network/view/neutron/job/DFG-network-neutron-13_director-rhel-virthost-3cont_2comp-ipv4-vxlan/402/testReport/


Can be easily reproduced by openstack client when running as tenant user:

openstack security group rule list

HttpException: 500: Server Error for url: http://10.0.0.101:9696/v2.0/security-group-rules, {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}}

or

openstack security group rule list --debug

REQ: curl -g -i -X GET http://10.0.0.101:9696/v2.0/security-group-rules -H "User-Agent: osc-lib/1.9.0 keystoneauth1/3.4.1 python-requests/2.14.2 CPython/2.7.5" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}15fa46d12777ae9121734c4e03dfe7b0bcad5189"
http://10.0.0.101:9696 "GET /v2.0/security-group-rules HTTP/1.1" 500 250
RESP: [500] Content-Type: application/json Content-Length: 250 X-Openstack-Request-Id: req-ec62f297-b6c7-419c-99f9-8e820c2c2fc7 Date: Sun, 16 Feb 2020 15:31:55 GMT 
RESP BODY: {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}}

GET call to network for http://10.0.0.101:9696/v2.0/security-group-rules used request id req-ec62f297-b6c7-419c-99f9-8e820c2c2fc7
Manager regionOne ran task network.GET.security-group-rules in 1.09681987762s
HttpException: 500: Server Error for url: http://10.0.0.101:9696/v2.0/security-group-rules, {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}}
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/network/common.py", line 139, in take_action
    parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/security_group_rule.py", line 544, in take_action_network
    for r in client.security_group_rules(**query)
  File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 898, in list
    exceptions.raise_from_response(response)
  File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response
    http_status=http_status, request_id=request_id
HttpException: HttpException: 500: Server Error for url: http://10.0.0.101:9696/v2.0/security-group-rules, {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}}
clean_up ListSecurityGroupRule: HttpException: 500: Server Error for url: http://10.0.0.101:9696/v2.0/security-group-rules, {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}}
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 134, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 279, in run
    result = self.run_subcommand(remainder)
  File "/usr/lib/python2.7/site-packages/osc_lib/shell.py", line 169, in run_subcommand
    ret_value = super(OpenStackShell, self).run_subcommand(argv)
  File "/usr/lib/python2.7/site-packages/cliff/app.py", line 400, in run_subcommand
    result = cmd.run(parsed_args)
  File "/usr/lib/python2.7/site-packages/osc_lib/command/command.py", line 41, in run
    return super(Command, self).run(parsed_args)
  File "/usr/lib/python2.7/site-packages/cliff/display.py", line 116, in run
    column_names, data = self.take_action(parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/network/common.py", line 139, in take_action
    parsed_args)
  File "/usr/lib/python2.7/site-packages/openstackclient/network/v2/security_group_rule.py", line 544, in take_action_network
    for r in client.security_group_rules(**query)
  File "/usr/lib/python2.7/site-packages/openstack/resource.py", line 898, in list
    exceptions.raise_from_response(response)
  File "/usr/lib/python2.7/site-packages/openstack/exceptions.py", line 205, in raise_from_response
    http_status=http_status, request_id=request_id
HttpException: HttpException: 500: Server Error for url: http://10.0.0.101:9696/v2.0/security-group-rules, {"NeutronError": {"message": "Failed to check policy tenant_id:%(security_group:tenant_id)s because Unable to verify match:%(security_group:tenant_id)s as the parent resource: security_group was not found.", "type": "PolicyCheckError", "detail": ""}}



Version-Release number of selected component (if applicable):
13.0-RHEL-7/2020-02-14.1
openstack-neutron-12.1.1-5.el7ost.noarch

How reproducible:
100%


Steps to Reproduce:

openstack project create --domain default --description "Tenant1 Project" tenant1
openstack user create --domain default --password-prompt tenant1
 - enter 'tenant1' on each prompt (you will be prompted twice)
openstack role create user
openstack role add --project tenant1 --user tenant1 user

cp overcloudrc tenant1_rc
set OS_USERNAME, OS_CLOUDNAME, OS_PASSWORD and OS_PROJECT_NAME to 'tenant_1'
and source tenant1_rc

openstack security group rule list  --debug


Actual results:
Neutron error

Expected results:
List of security group rules returned

Additional info:
Comment 1 Roman Safronov 2020-02-16 16:13:41 UTC 
Note: this is a regression, the issue did not happen on the previous OSP13 puddle 2020-02-10.8
Comment 17 errata-xmlrpc 2020-03-10 11:26:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0770
Note You need to log in before you can comment on or make changes to this bug.