2065282 – Secure RBAC, invalid YAML syntax in enable-secure-rbac.yaml file crashes overcloud when redeployed

Bug 2065282 - Secure RBAC, invalid YAML syntax in enable-secure-rbac.yaml file crashes overcloud when redeployed

Summary: Secure RBAC, invalid YAML syntax in enable-secure-rbac.yaml file crashes over...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	puppet-openstacklib
Sub Component:
Version:	17.0 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	beta
Target Release:	17.0
Assignee:	Douglas Mendizábal
QA Contact:	Jeremy Agee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1901686 2124617
TreeView+	depends on / blocked

Reported:	2022-03-17 15:16 UTC by Omer Schwartz
Modified:	2023-09-18 04:33 UTC (History)
CC List:	12 users (show)
Fixed In Version:	puppet-openstacklib-18.5.1-0.20220416002854.358e2a4.el9ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-09-21 12:19:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1965338	None	None	None	2022-04-05 18:26:19 UTC
OpenStack gerrit	834248	None	master: MERGED	puppet-openstacklib: policy: Quote single quotes in yaml format (I0216c2e4ecf75dbdd93d06eae2ebf8e7f2f4ac1a)	2022-06-13 19:39:26 UTC
OpenStack gerrit	835958	None	stable/wallaby: MERGED	puppet-openstacklib: policy: Quote single quotes in yaml format (I0216c2e4ecf75dbdd93d06eae2ebf8e7f2f4ac1a)	2022-06-13 19:39:31 UTC
Red Hat Issue Tracker	OSP-14029	None	None	None	2022-03-17 15:29:48 UTC
Red Hat Product Errata	RHEA-2022:6543	None	None	None	2022-09-21 12:20:23 UTC

Description Omer Schwartz 2022-03-17 15:16:49 UTC

Description of problem:
Invalid YAML syntax crashes overcloud redeployment.

This patch https://review.opendev.org/c/openstack/tripleo-heat-templates/+/818629 added some lines, that when being concatenated in policy.yaml file, returns the following error:
  File "/usr/lib/python3.6/site-packages/oslo_policy/policy.py", line 413, in parse_file_contents
    raise ValueError(str(e))
ValueError: while parsing a block mapping
  in "<unicode string>", line 1, column 1:
    'add_image': 'role:admin or (rol ... 
    ^   
expected <block end>, but found '<scalar>'
  in "<unicode string>", line 22, column 110:
     ... or project_id:%(member_id)s or 'community':%(visibility)s or 'pu ... 

See https://bugzilla.redhat.com/show_bug.cgi?id=2064290



Running yamllint on the policy_file=/etc/glance/policy.yaml file, I get:
yamllint policy.yaml 
policy.yaml
  1:1       warning  missing document start "---"  (document-start)
  1:81      error    line too long (97 > 80 characters)  (line-length)
  22:81     error    line too long (191 > 80 characters)  (line-length)
  23:81     error    line too long (186 > 80 characters)  (line-length)
  24:81     error    line too long (81 > 80 characters)  (line-length)
  26:81     error    line too long (101 > 80 characters)  (line-length)
  27:81     error    line too long (102 > 80 characters)  (line-length)
  28:81     error    line too long (113 > 80 characters)  (line-length)
  29:81     error    line too long (85 > 80 characters)  (line-length)
  30:81     error    line too long (110 > 80 characters)  (line-length)
  31:81     error    line too long (111 > 80 characters)  (line-length)
  32:81     error    line too long (114 > 80 characters)  (line-length)
  33:81     error    line too long (112 > 80 characters)  (line-length)
  34:81     error    line too long (117 > 80 characters)  (line-length)
  35:81     error    line too long (107 > 80 characters)  (line-length)
  36:81     error    line too long (108 > 80 characters)  (line-length)
  39:81     error    line too long (119 > 80 characters)  (line-length)
  54:81     error    line too long (81 > 80 characters)  (line-length)
  22:110    error    syntax error: expected <block end>, but found '<scalar>' (syntax)

^^^^^^^^
Which happened because of this line https://review.opendev.org/c/openstack/tripleo-heat-templates/+/818629/1/environments/enable-secure-rbac.yaml#1530

The invalid line in policy.yaml was
'download_image': 'role:admin or (role:member and (project_id:%(project_id)s or project_id:%(member_id)s or 'community':%(visibility)s or 'public':%(visibility)s or 'shared':%(visibility)s))'

Note: the usage of single comma (') repeats in many more lines.



This bug prevents applying the new Secure RBAC policy in OSP17, TripleO.

Version-Release number of selected component (if applicable):
[stack@undercloud-0 ~]$ cat /etc/rhosp-release 
Red Hat OpenStack Platform release 17.0.0 Beta (Ussuri)

How reproducible:
100%

Steps to Reproduce:
1. Deploy OSP17, TripleO with Octavia
2. Add /home/stack/overcloud-deploy/overcloud/tripleo-heat-templates/environments/enable-secure-rbac.yaml to /home/stack/overcloud_deploy.sh
3. Redeploy /home/stack/overcloud_deploy.sh 

Actual results:
The deployment failed when trying to upload amphora image to glance, because of the error mentioned above.

Expected results:
The deployment pass.

Comment 1 Takashi Kajinami 2022-03-17 16:46:16 UTC

We might need to consider better formatting logic in puppet-openstacklib
 https://github.com/openstack/puppet-openstacklib/blob/master/manifests/policy/base.pp#L88

In the past we tried augeas but failed because it does not support current structure of policy yaml.
(augeas works properly only when an aditional top level key exists)

Comment 2 Takashi Kajinami 2022-03-17 17:10:34 UTC

(In reply to Takashi Kajinami from comment #1)
> We might need to consider better formatting logic in puppet-openstacklib
>  https://github.com/openstack/puppet-openstacklib/blob/master/manifests/
> policy/base.pp#L88
> 
> In the past we tried augeas but failed because it does not support current
> structure of policy yaml.
> (augeas works properly only when an aditional top level key exists)

Reported a bug for puppet-openstacklib.
https://bugs.launchpad.net/puppet-openstacklib/+bug/1965338

Comment 4 Yaniv Kaul 2022-05-18 11:40:01 UTC

Any idea why the BZ is still on POST? The upstream issue (https://bugs.launchpad.net/puppet-openstacklib/+bug/1965338) seem to be resolved - is this waiting for backport?
(asking mainly because it's a test blocker)

Comment 6 Douglas Mendizábal 2022-06-14 19:21:18 UTC

Hi Yaniv,  it looks like this was moved to MODIFIED already by Jon.

Comment 14 errata-xmlrpc 2022-09-21 12:19:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.0 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:6543

Comment 15 Red Hat Bugzilla 2023-09-18 04:33:41 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Note You need to log in before you can comment on or make changes to this bug.