Description of problem: The TripleO policy override file https://github.com/openstack/tripleo-heat-templates/blob/master/environments/enable-secure-rbac.yaml isn't rendering the correct definitions for (at least) Octavia and probably other Openstack services as well. For example: In the following override section for Octavia policy https://github.com/openstack/tripleo-heat-templates/blob/master/environments/enable-secure-rbac.yaml#L3701 we see role rules, such as value: "role:admin or rule:project-reader" value: "role:admin or rule:project-member" that we do not see on our rendered policy.yaml file in our Jenkins jobs (here is a link from our latest build): http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/rcj/DFG-network-octavia-17.0_director-rhel-virthost-3cont_3comp-ipv4-geneve-actstby/66/controller-0/var/lib/config-data/octavia/etc/octavia/policy.yaml.gz The policy.yaml file isn't rendering a definition for "rule:project-reader" nor "rule:project-member". In order to verify the Secure RBAC feature, each OSP component needs to have those role rules defined, e.g. Octavia define them this way: https://github.com/openstack/octavia/blob/master/etc/policy/keystone_default_roles-policy.yaml#L13 The fact that those role rules are not rendered causes many Secure RBAC tests to fail and blocks the Secure RBAC feature. Version-Release number of selected component (if applicable): core_puddle: RHOS-17.0-RHEL-9-20220623.n.1 How reproducible: 100% Steps to Reproduce: 1. Run any Octavia OSP17 job on CI and add "enable-secure-rbac" on OVERCLOUD_TEMPLATES, and add --config-options load_balancer.enforce_new_defaults='True' On TEMPEST_RUN_OVERRIDE_OPTIONS. A link for the Active standby job (could be any): https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/network/view/octavia/job/DFG-network-octavia-17.0_director-rhel-virthost-3cont_3comp-ipv4-geneve-actstby/ Actual results: Important role rules are not being rendered on /controller-0/var/lib/config-data/octavia/etc/octavia/policy.yaml.gz And many Secure RBAC tests fail. Expected results: All Secure RBAC should pass
Root issue is the roles "project_reader" and "project_member" are not defined in the policy override rendered via tripleo and the enable-secure-rbac.yaml environment file.
I'm not sure I understand what the issue is here? There seems to be a misunderstanding on how the policy.yaml override files work. IIUC, the effective policy used by a service is a combination of both the default rules defined in code in the project as well the override rules specified in the policy.yaml file. For Octavia, the "project-member" and "project-reader" rules have default values defined here: https://opendev.org/openstack/octavia/src/branch/stable/wallaby/octavia/policies/base.py#L52-L64 Because we are not changing the value of the "project-member" and "project-reader" rules, then we do not need to specify them in the policy.yaml override file. In fact, the oslo.policy library provides a mechanism to help identify redundant rules that are present in both the default rules and the policy.yaml, noting that "These are rules that can be removed from the policy file with no change in effective policy": https://docs.openstack.org/oslo.policy/latest/user/usage.html#list-of-redundant-configuration Are you seeing different behavior in Octavia? Does the effective policy not contain the default rules?
Yeah, you are right, those are globally defined in the defaults, so... hmmm, what is failing here? Omer, can you point us to a current run that is failing? The linked job is passing and not using the policy override.
I have looked into this some more. I found the job Omer was running (http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/rcj/DFG-network-octavia-17.0_director-rhel-virthost-3cont_3comp-ipv4-geneve-actstby/66/controller-0/var/lib/config-data/octavia/etc/octavia/policy.yaml.gz) I checked the tempest.conf and the RBAC test type is incorrect: [load_balancer] RBAC_test_type = owner_or_admin http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/rcj/DFG-network-octavia-17.0_director-rhel-virthost-3cont_3comp-ipv4-geneve-actstby/66/undercloud-0/home/stack/tempest-dir/etc/tempest.conf.gz Which is likely causing this: 2022-06-27 13:48:59.490 19 DEBUG octavia.common.policy [req-55138779-6e68-4983-bf53-0beecfa8f691 - d2859124b48d4b68b28905c53203b92b - default default] Policy check for os_load-balancer_api:provider:get_all failed with credentials {'is_admin': False, 'user_id': None, 'user_domain_id': 'default', 'system_scope': None, 'domain_id': None, 'project_id': 'd2859124b48d4b68b28905c53203b92b', 'project_domain_id': 'default', 'roles': ['swiftoperator'], 'is_admin_project': True, 'service_user_id': None, 'service_user_domain_id': None, 'service_project_id': None, 'service_project_domain_id': None, 'service_roles': []} authorize /usr/lib/python3.9/site-packages/octavia/common/policy.py:126 Where the user being used doesn't have the reader or member role (It only has "swiftoperator" for whatever reason). Please make sure you configure tempest to test the proper RBAC configuration for Octavia. [load_balancer] RBAC_test_type = keystone_default_roles