OpenStack Dashboard Charm

Policy Overrides Do Not Update Automatically

Bug #2037467 reported by Jake Nabasny

This bug report was marked for expiration 350 days ago. (find out why)

8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard Charm
Incomplete
Undecided
Unassigned

Bug Description

== ENVIRONMENT ==
OS: Ubuntu Focal and Jammy
Openstack: Ussuri and Yoga
Charm revision: 585 and 597

== ISSUE ==
The first time adding a policy override file and enabling policy overrides, they get applied as expected. But if you upload another policy override zip file, you need to make a charm configuration change, like disabling and re-enabling policy overrides, in order for the new policies to be loaded.

== EXPECTED OUTCOME ==
New policy overrides are applied at the time when the override file is attached to the charm.

== STEPS TO REPRODUCE ==
On a fresh deployment:

1. mkdir compute && echo '"os_compute_api:os-extended-server-attributes": "rule:admin_or_owner"' > compute/attribute-override.yaml
2. zip -r nova-override.zip compute
3. juju attach-resource keystone policyd-override=nova-override.zip
4. juju config openstack-dashboard use-policyd-override=true

# Policies applied as expected, then adding another policy:

5. mkdir identity && echo '"admin_required": "role:Admin or role:cloudadmin"' > identity/admin-override.yaml
6. zip -r keystone-override.zip identity
7. juju attach-resource keystone policyd-override=keystone-override.zip

# Charm goes into maintenance mode and regenerates endpoint configs, but the change does not take effect.

8. juju config openstack-dashboard use-policyd-override=false
9. juju config openstack-dashboard use-policyd-override=true

# Now the newly added policy gets applied.

== OTHER NOTES ==
After step 7, there is no directory for /etc/openstack-dashboard/policy.d/keystone_policy.d/. It does not get generated until the workaround is applied with steps 8 and 9.

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

I'm a little confused about the report, specifically:

> 2. zip -r nova-override.zip compute
> 3. juju attach-resource keystone policyd-override=nova-override.zip
> 4. juju config openstack-dashboard use-policyd-override=true

This looks like the policy override is being applied to the keystone application, but the config option to activate it is on the openstack-dashboard? Unless this is a typo, then that's not going to do anything to either charm.

Also.

> 7. juju attach-resource keystone policyd-override=keystone-override.zip

Is this a typo? It's just the policy override is being applied to keystone here, so the openstack-dashboard charm wouldn't be involved?

Please could you clarify?

Thanks.

Changed in charm-openstack-dashboard:
status: New → Incomplete
Revision history for this message
Marcin Wilk (wilkmarcin) wrote :

Hi Alex,
Regarding:
> 7. juju attach-resource keystone policyd-override=keystone-override.zip

I think it should read to:
juju attach-resource openstack-dashboard policyd-override=keystone-override.zip

I am able to recreate the problem on my Focal/Ussuri deployment. openstack-dashboard charm ussuri/stable rev. 585.

I have used the charm's documentation (especially the policy override process) [1]
https://opendev.org/openstack/charm-openstack-dashboard#policy-overrides

Kind regards,
Marcin

Revision history for this message
Alex Kavanagh (ajkavanagh) wrote :

Okay, revisiting this. Based on the instructions, edited to only use the dashboard charm, I think this is what you are saying:

== STEPS TO REPRODUCE ==
On a fresh deployment, on the openstack-dashboard charm ONLY.

1. mkdir compute && echo '"os_compute_api:os-extended-server-attributes": "rule:admin_or_owner"' > compute/attribute-override.yaml
2. zip -r nova-override.zip compute
3. juju attach-resource openstack-dashboard policyd-override=nova-override.zip
4. juju config openstack-dashboard use-policyd-override=true

# Policies applied as expected, then adding another policy:

5. mkdir identity && echo '"admin_required": "role:Admin or role:cloudadmin"' > identity/admin-override.yaml
6. zip -r keystone-override.zip identity
7. juju attach-resource openstack-dashboard policyd-override=keystone-override.zip

i.e. at the end the local directories are:

/compute/
   attribute-override.yaml
 identity/
    admin-override.yaml

and the two zip files contain a *single* .yaml each:

- nova-override.zip (which contains compute/*) == compute/attribute-override.yaml
- keystone-override.zip (which contains identity/*) == identity/keystone-override.yaml

If this *is* the case, then keystone-override.zip when added as a resource is removing the compute/attribute-override.yaml. This may be intentional on your part, but I just wanted to clarify the operation.

Also, please could you edit the bug to clarify the operations on the charm so that it does reflect your usage. Thanks.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.