Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cASO 4.x cannot be run by non-admins #124

Closed
enolfc opened this issue Jul 28, 2023 · 0 comments · May be fixed by #137
Closed

cASO 4.x cannot be run by non-admins #124

enolfc opened this issue Jul 28, 2023 · 0 comments · May be fixed by #137
Labels
bug

Comments

@enolfc
Copy link

enolfc commented Jul 28, 2023

Description

When trying to run cASO with a non-privileged account, it fails with Keystone exception

Steps to Reproduce

  1. Configure authentication with a user that is just a member of projects that need to be accounted
  2. Run cASO
  3. 💥 
    2023-07-28 11:47:39.560 1714 CRITICAL caso [-] Unhandled error: keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_projects. (HTTP 403) (Request-ID: req-7c73189a-b89f-4495-8cdc-d91156c922a5)
2023-07-28 11:47:39.560 1714 ERROR caso Traceback (most recent call last):
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/base.py", line 448, in list
2023-07-28 11:47:39.560 1714 ERROR caso     list_resp = self._list(url_query, self.collection_key)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/base.py", line 141, in _list
2023-07-28 11:47:39.560 1714 ERROR caso     resp, body = self.client.get(url, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 395, in get
2023-07-28 11:47:39.560 1714 ERROR caso     return self.request(url, 'GET', **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 554, in request
2023-07-28 11:47:39.560 1714 ERROR caso     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 257, in request
2023-07-28 11:47:39.560 1714 ERROR caso     return self.session.request(url, method, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/session.py", line 811, in request
2023-07-28 11:47:39.560 1714 ERROR caso     base_url = self.get_endpoint(auth, allow=allow,
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/session.py", line 1243, in get_endpoint
2023-07-28 11:47:39.560 1714 ERROR caso     return auth.get_endpoint(self, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/identity/base.py", line 375, in get_endpoint
2023-07-28 11:47:39.560 1714 ERROR caso     endpoint_data = self.get_endpoint_data(
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/identity/base.py", line 275, in get_endpoint_data
2023-07-28 11:47:39.560 1714 ERROR caso     endpoint_data = service_catalog.endpoint_data_for(
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/access/service_catalog.py", line 425, in endpoint_data_for
2023-07-28 11:47:39.560 1714 ERROR caso     raise exceptions.EmptyCatalog('The service catalog is empty.')
2023-07-28 11:47:39.560 1714 ERROR caso keystoneauth1.exceptions.catalog.EmptyCatalog: The service catalog is empty.
2023-07-28 11:47:39.560 1714 ERROR caso
2023-07-28 11:47:39.560 1714 ERROR caso During handling of the above exception, another exception occurred:
2023-07-28 11:47:39.560 1714 ERROR caso
2023-07-28 11:47:39.560 1714 ERROR caso Traceback (most recent call last):
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/bin/caso-extract", line 10, in <module>
2023-07-28 11:47:39.560 1714 ERROR caso     sys.exit(main())
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/src/github.com/IFCA/caso/caso/_cmd/extract.py", line 33, in main
2023-07-28 11:47:39.560 1714 ERROR caso     manager.run()
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/src/github.com/IFCA/caso/caso/manager.py", line 123, in run
2023-07-28 11:47:39.560 1714 ERROR caso     return synchronized()
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/oslo_concurrency/lockutils.py", line 414, in inner
2023-07-28 11:47:39.560 1714 ERROR caso     return f(*args, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/src/github.com/IFCA/caso/caso/manager.py", line 119, in synchronized
2023-07-28 11:47:39.560 1714 ERROR caso     records = self.extractor_manager.get_records()
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/src/github.com/IFCA/caso/caso/extract/manager.py", line 249, in get_records
2023-07-28 11:47:39.560 1714 ERROR caso     for project in self.projects:
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/src/github.com/IFCA/caso/caso/extract/manager.py", line 122, in projects
2023-07-28 11:47:39.560 1714 ERROR caso     aux = [i.id for i in self.keystone.projects.list(tags=CONF.caso_tag)]
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/v3/projects.py", line 137, in list
2023-07-28 11:47:39.560 1714 ERROR caso     projects = super(ProjectManager, self).list(
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/base.py", line 86, in func
2023-07-28 11:47:39.560 1714 ERROR caso     return f(*args, **new_kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/base.py", line 453, in list
2023-07-28 11:47:39.560 1714 ERROR caso     list_resp = self._list(url_query, self.collection_key,
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/base.py", line 141, in _list
2023-07-28 11:47:39.560 1714 ERROR caso     resp, body = self.client.get(url, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 395, in get
2023-07-28 11:47:39.560 1714 ERROR caso     return self.request(url, 'GET', **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 554, in request
2023-07-28 11:47:39.560 1714 ERROR caso     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 257, in request
2023-07-28 11:47:39.560 1714 ERROR caso     return self.session.request(url, method, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/session.py", line 986, in request
2023-07-28 11:47:39.560 1714 ERROR caso     raise exceptions.from_response(resp, method, url)
2023-07-28 11:47:39.560 1714 ERROR caso keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_projects. (HTTP 403) (Request-ID: req-7c73189a-b89f-4495-8cdc-d91156c922a5)
2023-07-28 11:47:39.560 1714 ERROR caso

Expected behavior:

cASO still runs even if it cannot auto-discover projects

Actual behavior

See log above

Versions

4.2.0
@enolfc enolfc mentioned this issue Jul 28, 2023
Closed
9 tasks
@alvarolopez alvarolopez mentioned this issue Sep 28, 2023
Closed
9 tasks
alvarolopez pushed a commit that referenced this issue Sep 27, 2024
@enolfc @alvarolopez
fix: do not assume admin privileges on keystone
87c78f4 
Avoid issues when running cASO with a low privileges account that cannot
list all projects and scope the tokens to the projects that are to be
accounted. This allows to run cASO and generate records for non-admin
users.

Closes #124
alvarolopez pushed a commit that referenced this issue Sep 27, 2024
@enolfc @alvarolopez
fix: do not assume admin privileges on keystone
0aba824 
Avoid issues when running cASO with a low privileges account that cannot
list all projects and scope the tokens to the projects that are to be
accounted. This allows to run cASO and generate records for non-admin
users.

Closes #124
@alvarolopez alvarolopez mentioned this issue Sep 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
2 participants
@alvarolopez @enolfc