Mistral

Bug #1843175
Comment #2

Comment 2 for bug 1843175

Revision history for this message

Francois Scheurer (scheuref) wrote on 2019-09-12:

Dear All

Same problem here...
Running openstack rocky with mistral 7.0.1.1

- creating and executing the workflow works.

- creating the cron trigger works and we can verify that the trust get created with:
openstack trust list

- but the execution of cron trigger fails on identity:validate_token.

The last msg from keystone debug log are (with some uid replaced with text):

2019-09-05 09:38:00.902 29 DEBUG keystone.policy.backends.rules [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom testdom]
            enforce identity:validate_token:
            {
               'service_project_id':None,
               'service_user_id':None,
               'service_user_domain_id':None,
               'service_project_domain_id':None,
               'trustor_id':None,
               'user_domain_id':u'testdom',
               'domain_id':None,
               'trust_id':u'mytrustid',
               'project_domain_id':u'testdom',
               'service_roles':[],
               'group_ids':[],
               'user_id':u'fsc',
               'roles':[
                  u'_member_',
                  u'creator',
                  u'reader',
                  u'heat_stack_owner',
                  u'member',
                  u'load-balancer_member'],
               'system_scope':None,
               'trustee_id':None,
               'domain_name':None,
               'is_admin_project':True,
               'token':<TokenModel (audit_id=0LAsW_0dQMWXh2cTZTLcWA, audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at 0x7f208f4a3bd0>,
               'project_id':u'fscproject'
            } enforce /var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33
        2019-09-05 09:38:00.920 29 WARNING keystone.common.wsgi [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom testdom]
            You are not authorized to perform the requested action: identity:validate_token.: ForbiddenAction: You are not authorized to perform the requested action: identity:validate_token.

The problem does not arise when the role service or admin is added to the user.

Cheers
Francois Scheurer

Dear All

Same problem here...
Running openstack rocky with mistral 7.0.1.1

- creating and executing the workflow works.

- creating the cron trigger works and we can verify that the trust get created with:
    openstack trust list

- but the execution of cron trigger fails on identity:validate_token.

The last msg from keystone debug log are (with some uid replaced with text):

2019-09-05 09:38:00.902 29 DEBUG keystone.policy.backends.rules [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom testdom]
            enforce identity:validate_token: 
            {
               'service_project_id':None,
               'service_user_id':None,
               'service_user_domain_id':None,
               'service_project_domain_id':None,
               'trustor_id':None,
               'user_domain_id':u'testdom',
               'domain_id':None,
               'trust_id':u'mytrustid',
               'project_domain_id':u'testdom',
               'service_roles':[],
               'group_ids':[],
               'user_id':u'fsc',
               'roles':[
                  u'_member_',
                  u'creator',
                  u'reader',
                  u'heat_stack_owner',
                  u'member',
                  u'load-balancer_member'],
               'system_scope':None,
               'trustee_id':None,
               'domain_name':None,
               'is_admin_project':True,
               'token':<TokenModel (audit_id=0LAsW_0dQMWXh2cTZTLcWA, audit_chain_id=[u'0LAsW_0dQMWXh2cTZTLcWA']) at 0x7f208f4a3bd0>,
               'project_id':u'fscproject'
            } enforce /var/lib/kolla/venv/local/lib/python2.7/site-packages/keystone/policy/backends/rules.py:33
        2019-09-05 09:38:00.920 29 WARNING keystone.common.wsgi [req-1a276b9d-8276-4ec3-b516-f51f86cd1df6 fsc fscproject - testdom testdom] 
            You are not authorized to perform the requested action: identity:validate_token.: ForbiddenAction: You are not authorized to perform the requested action: identity:validate_token.

The problem does not arise when the role service or admin is added to the user.

Cheers
Francois Scheurer