2219603 – Missing Designate sRBAC overrides in TripleO when enabling secure RBAC

Bug 2219603 - Missing Designate sRBAC overrides in TripleO when enabling secure RBAC

Summary: Missing Designate sRBAC overrides in TripleO when enabling secure RBAC

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z1
Target Release:	17.1
Assignee:	Nate Johnston
QA Contact:	Lilach Avraham
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2124618
TreeView+	depends on / blocked

Reported:	2023-07-04 14:11 UTC by Lilach Avraham
Modified:	2023-09-20 00:30 UTC (History)
CC List:	12 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-1.20230519151021.el9ost
Doc Type:	Known Issue
Doc Text:	In RHOSP 17.1 GA, the DNS service (designate) is misconfigured when secure role-based access control (sRBAC) is enabled. The current sRBAC policies contain incorrect rules for designate and must be corrected for designate to function correctly. A possible workaround is to apply the following patch on the undercloud server and redeploy the overcloud: + https://review.opendev.org/c/openstack/tripleo-heat-templates/+/888159
Clone Of:
Environment:
Last Closed:	2023-09-20 00:29:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	888159	None	MERGED	Fix designate sRBAC overrides	2023-08-03 17:20:42 UTC
RDO	49219	None	None	None	2023-07-11 14:49:50 UTC
Red Hat Issue Tracker	OSP-26302	None	None	None	2023-07-04 14:17:49 UTC
Red Hat Product Errata	RHBA-2023:5138	None	None	None	2023-09-20 00:30:15 UTC

Description Lilach Avraham 2023-07-04 14:11:13 UTC

I've run the Designate SRBAC job [1] with the configuration we've used to run the RBAC test [2].

we have 14 tests that still fail [3], and most of them get this traceback.

Traceback (most recent call last):
  File "/home/stack/plugins/designate-tempest-plugin/designate_tempest_plugin/tests/api/v2/test_recordset.py", line 509, in test_admin_list_all_recordsets_for_a_project
    item['id'] for item in self.admin_client.list_recordset(
  File "/home/stack/plugins/designate-tempest-plugin/designate_tempest_plugin/services/dns/json/base.py", line 39, in wrapper
    return f(*args, **kwargs)
  File "/home/stack/plugins/designate-tempest-plugin/designate_tempest_plugin/services/dns/v2/json/recordset_client.py", line 150, in list_recordset
    return self._list_request(
  File "/home/stack/plugins/designate-tempest-plugin/designate_tempest_plugin/services/dns/json/base.py", line 187, in _list_request
    resp, body = self.get(uri, headers=headers)
  File "/home/stack/.virtualenvs/.tempest/lib64/python3.9/site-packages/tempest/lib/common/rest_client.py", line 322, in get
    return self.request('GET', url, extra_headers, headers,
  File "/home/stack/.virtualenvs/.tempest/lib64/python3.9/site-packages/tempest/lib/common/rest_client.py", line 742, in request
    self._error_checker(resp, resp_body)
  File "/home/stack/.virtualenvs/.tempest/lib64/python3.9/site-packages/tempest/lib/common/rest_client.py", line 847, in _error_checker
    raise exceptions.Forbidden(resp_body, resp=resp)
tempest.lib.exceptions.Forbidden: Forbidden
Details: {'code': 403, 'type': 'forbidden', 'request_id': 'req-a5977a6a-2324-410b-beb4-23c86269fa26'}


[1]- https://rhos-ci-staging-jenkins.lab.eng.tlv2.redhat.com/view/DFG/view/network/view/openstack-designate/job/DFG-network-openstack-designate-17.1_director-rhel-virthost-3cont_2comp-ipv4-geneve-srbac/32/
[2]- http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/staging/DFG-network-openstack-designate-17.1_director-rhel-virthost-3cont_2comp-ipv4-geneve-srbac/32/undercloud-0/home/stack/tempest-dir/etc/tempest.conf.gz
[3]- http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/staging/DFG-network-openstack-designate-17.1_director-rhel-virthost-3cont_2comp-ipv4-geneve-srbac/32/test_results/tempest-results-designate.1.html

Comment 16 Greg Rakauskas 2023-08-29 21:03:18 UTC

Hi Brent,

Thanks for doing this. I've corrected a few nits in the new Doc Text.

I will yank BZ 2214328 from the RHOSP 17.1.0 Release Notes, and replace that BZ
with BZ 2219603 and its Doc Text.

Thanks,
--Greg

Comment 22 errata-xmlrpc 2023-09-20 00:29:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:5138

Note You need to log in before you can comment on or make changes to this bug.