Bug 2167374 - Secure RBAC Octavia tempest tests fail
Summary: Secure RBAC Octavia tempest tests fail
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-octavia-tests-tempest
Version: 17.1 (Wallaby)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 17.1
Assignee: Gregory Thiemonge
QA Contact: Omer Schwartz
Greg Rakauskas
URL:
Whiteboard:
Depends On:
Blocks: 2124617
TreeView+ depends on / blocked
 
Reported: 2023-02-06 12:36 UTC by Omer Schwartz
Modified: 2023-08-16 01:14 UTC (History)
2 users (show)

Fixed In Version: python-octavia-tests-tempest-1.9.0-1.20230328101001.a3a95b1.el9ost
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-16 01:13:41 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 872648 0 None MERGED Fix legacy admin in RBAC tests 2023-03-03 13:41:12 UTC
OpenStack gerrit 875620 0 None MERGED Fix Octavia policies 2023-03-02 07:29:52 UTC
OpenStack gerrit 876904 0 None MERGED Update Octavia tempest tests for no scoped tokens 2023-03-28 07:11:46 UTC
Red Hat Issue Tracker OSP-22080 0 None None None 2023-02-06 12:39:17 UTC
Red Hat Product Errata RHEA-2023:4577 0 None None None 2023-08-16 01:14:03 UTC

Description Omer Schwartz 2023-02-06 12:36:38 UTC 
Description of problem:
The following secure RBAC Octavia tempest tests fail:

tests.api.v2.test_flavor_profile.FlavorProfileAPITest.test_flavor_profile_create
tests.api.v2.test_flavor_profile.FlavorProfileAPITest.test_flavor_profile_delete
tests.api.v2.test_flavor_profile.FlavorProfileAPITest.test_flavor_profile_list
tests.api.v2.test_flavor_profile.FlavorProfileAPITest.test_flavor_profile_show
tests.api.v2.test_flavor_profile.FlavorProfileAPITest.test_flavor_profile_update


With the following error message:
Traceback (most recent call last):
      File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/tests/api/v2/test_flavor_profile.py", line 77, in test_flavor_profile_create
        self.lb_admin_flavor_profile_client.create_flavor_profile(
      File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/common/decorators.py", line 42, in wrapper
        return f(*func_args, **func_kwargs)
      File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/services/load_balancer/v2/flavor_profile_client.py", line 68, in create_flavor_profile
        return self._create_object(**kwargs)
      File "/usr/lib/python3.9/site-packages/octavia_tempest_plugin/services/load_balancer/v2/base_client.py", line 101, in _create_object
        response, body = self.post(request_uri, jsonutils.dumps(obj_dict))
      File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 299, in post
        return self.request('POST', url, extra_headers, headers, body, chunked)
      File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 720, in request
        self._error_checker(resp, resp_body)
      File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 821, in _error_checker
        raise exceptions.Forbidden(resp_body, resp=resp)
    tempest.lib.exceptions.Forbidden: Forbidden
    Details: {'faultcode': 'Client', 'faultstring': 'Policy does not allow this request to be performed.', 'debuginfo': None}
    

Captured pythonlogging:
~~~~~~~~~~~~~~~~~~~~~~~
    2023-02-06 12:22:23,014 295874 INFO     [tempest.lib.common.rest_client] Request (FlavorProfileAPITest:test_flavor_profile_create): 403 POST http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles 0.180s
    2023-02-06 12:22:23,015 295874 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
            Body: {"flavorprofile": {"name": "tempest-lb_admin_flavorprofile1-create-993542616", "provider_name": "octavia", "flavor_data": "{\"loadbalancer_topology\": \"SINGLE\"}"}}
        Response - Headers: {'date': 'Mon, 06 Feb 2023 12:22:22 GMT', 'server': 'Apache', 'content-length': '112', 'x-openstack-request-id': 'req-467bbdfa-1b59-440a-a06d-07529d8d17b8', 'content-type': 'application/json', 'connection': 'close', 'status': '403', 'content-location': 'http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles'}
            Body: b'{"faultcode": "Client", "faultstring": "Policy does not allow this request to be performed.", "debuginfo": null}'
    2023-02-06 12:22:23,110 295874 INFO     [tempest.lib.common.rest_client] Request (FlavorProfileAPITest:test_flavor_profile_create): 403 POST http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles 0.094s
    2023-02-06 12:22:23,110 295874 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
            Body: {"flavorprofile": {"name": "tempest-lb_admin_flavorprofile1-create-993542616", "provider_name": "octavia", "flavor_data": "{\"loadbalancer_topology\": \"SINGLE\"}"}}
        Response - Headers: {'date': 'Mon, 06 Feb 2023 12:22:23 GMT', 'server': 'Apache', 'content-length': '112', 'x-openstack-request-id': 'req-57ed12b9-bbb4-43f7-a381-688df8ee15c7', 'content-type': 'application/json', 'connection': 'close', 'status': '403', 'content-location': 'http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles'}
            Body: b'{"faultcode": "Client", "faultstring": "Policy does not allow this request to be performed.", "debuginfo": null}'
    2023-02-06 12:22:23,125 295874 INFO     [tempest.lib.common.rest_client] Request (FlavorProfileAPITest:test_flavor_profile_create): 403 POST http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles 0.014s
    2023-02-06 12:22:23,126 295874 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
            Body: {"flavorprofile": {"name": "tempest-lb_admin_flavorprofile1-create-993542616", "provider_name": "octavia", "flavor_data": "{\"loadbalancer_topology\": \"SINGLE\"}"}}
        Response - Headers: {'date': 'Mon, 06 Feb 2023 12:22:23 GMT', 'server': 'Apache', 'content-length': '112', 'x-openstack-request-id': 'req-f927a305-bee5-4a31-9704-e57bed40e976', 'content-type': 'application/json', 'connection': 'close', 'status': '403', 'content-location': 'http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles'}
            Body: b'{"faultcode": "Client", "faultstring": "Policy does not allow this request to be performed.", "debuginfo": null}'
    2023-02-06 12:22:23,186 295874 INFO     [tempest.lib.common.rest_client] Request (FlavorProfileAPITest:test_flavor_profile_create): 403 POST http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles 0.060s
    2023-02-06 12:22:23,187 295874 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
            Body: {"flavorprofile": {"name": "tempest-lb_admin_flavorprofile1-create-993542616", "provider_name": "octavia", "flavor_data": "{\"loadbalancer_topology\": \"SINGLE\"}"}}
        Response - Headers: {'date': 'Mon, 06 Feb 2023 12:22:23 GMT', 'server': 'Apache', 'content-length': '112', 'x-openstack-request-id': 'req-2851f3c9-234b-4f18-9299-5196920d75f9', 'content-type': 'application/json', 'connection': 'close', 'status': '403', 'content-location': 'http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles'}
            Body: b'{"faultcode": "Client", "faultstring": "Policy does not allow this request to be performed.", "debuginfo": null}'
    2023-02-06 12:22:23,299 295874 INFO     [tempest.lib.common.rest_client] Request (FlavorProfileAPITest:test_flavor_profile_create): 403 POST http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles 0.111s
    2023-02-06 12:22:23,299 295874 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
            Body: {"flavorprofile": {"name": "tempest-lb_admin_flavorprofile1-create-993542616", "provider_name": "octavia", "flavor_data": "{\"loadbalancer_topology\": \"SINGLE\"}"}}
        Response - Headers: {'date': 'Mon, 06 Feb 2023 12:22:23 GMT', 'server': 'Apache', 'content-length': '112', 'x-openstack-request-id': 'req-7e50debd-00eb-4403-b5ed-84e58b2e3f58', 'content-type': 'application/json', 'connection': 'close', 'status': '403', 'content-location': 'http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles'}
            Body: b'{"faultcode": "Client", "faultstring": "Policy does not allow this request to be performed.", "debuginfo": null}'
    2023-02-06 12:22:23,372 295874 INFO     [tempest.lib.common.rest_client] Request (FlavorProfileAPITest:test_flavor_profile_create): 403 POST http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles 0.072s
    2023-02-06 12:22:23,373 295874 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
            Body: {"flavorprofile": {"name": "tempest-lb_admin_flavorprofile1-create-993542616", "provider_name": "octavia", "flavor_data": "{\"loadbalancer_topology\": \"SINGLE\"}"}}
        Response - Headers: {'date': 'Mon, 06 Feb 2023 12:22:23 GMT', 'server': 'Apache', 'content-length': '112', 'x-openstack-request-id': 'req-2a03d5dd-7be4-4620-b9b5-d11cab1ebfcc', 'content-type': 'application/json', 'connection': 'close', 'status': '403', 'content-location': 'http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles'}
            Body: b'{"faultcode": "Client", "faultstring": "Policy does not allow this request to be performed.", "debuginfo": null}'
    2023-02-06 12:22:23,483 295874 INFO     [tempest.lib.common.rest_client] Request (FlavorProfileAPITest:test_flavor_profile_create): 403 POST http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles 0.109s
    2023-02-06 12:22:23,483 295874 DEBUG    [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
            Body: {"flavorprofile": {"name": "tempest-lb_admin_flavorprofile1-create-993542616", "provider_name": "octavia", "flavor_data": "{\"loadbalancer_topology\": \"SINGLE\"}"}}
        Response - Headers: {'date': 'Mon, 06 Feb 2023 12:22:23 GMT', 'server': 'Apache', 'content-length': '112', 'x-openstack-request-id': 'req-1a43dbf1-394e-4004-a462-09670a48a3fa', 'content-type': 'application/json', 'connection': 'close', 'status': '403', 'content-location': 'http://10.0.0.140:9876/v2.0/lbaas/flavorprofiles'}
            Body: b'{"faultcode": "Client", "faultstring": "Policy does not allow this request to be performed.", "debuginfo": null}'


After applying the following config options on tempest.conf:
[load_balancer]
enable_security_groups = True
enforce_new_defaults = True
#admin_role = admin
RBAC_test_type = keystone_default_roles
#member_role = member
region = regionOne
enabled_provider_drivers = amphora:The Octavia Amphora driver.,octavia:Deprecated alias of the Octavia Amphora driver.,ovn:Octavia OVN driver.


There are more Octavia tempest tests that fail, but I am assuming that after we fix the tests I mentioned above, the other tests will be fixed too.


Version-Release number of selected component (if applicable):
RHOS-17.1-RHEL-9-20230131.n.2

How reproducible:
100%

Steps to Reproduce:
1. Run the tests mentioned above, either on jenkins, or locally


Actual results:
The tempest tests fail

Expected results:
The tempest tests should pass
Comment 8 Omer Schwartz 2023-05-03 11:40:20 UTC 
D/s unified job ran these tempest tests and the Octavia tempest tests passed. I am moving this BZ status to verified

https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/view/Unified/job/DFG-all-unified-17.1_d-rhel-vhost-3cont_2comp-ipv4-vxlan-lvm-srbac/7/testReport/
Comment 18 errata-xmlrpc 2023-08-16 01:13:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577
Note You need to log in before you can comment on or make changes to this bug.