Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

cASO 4.x cannot be run by non-admins #124

Closed
enolfc opened this issue Jul 28, 2023 · 0 comments · Fixed by #137
Closed

cASO 4.x cannot be run by non-admins #124

enolfc opened this issue Jul 28, 2023 · 0 comments · Fixed by #137
Labels
bug

Comments

@enolfc
Copy link

enolfc commented Jul 28, 2023

Description

When trying to run cASO with a non-privileged account, it fails with Keystone exception

Steps to Reproduce

  1. Configure authentication with a user that is just a member of projects that need to be accounted
  2. Run cASO
  3. 💥 
    2023-07-28 11:47:39.560 1714 CRITICAL caso [-] Unhandled error: keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_projects. (HTTP 403) (Request-ID: req-7c73189a-b89f-4495-8cdc-d91156c922a5)
2023-07-28 11:47:39.560 1714 ERROR caso Traceback (most recent call last):
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/base.py", line 448, in list
2023-07-28 11:47:39.560 1714 ERROR caso     list_resp = self._list(url_query, self.collection_key)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/base.py", line 141, in _list
2023-07-28 11:47:39.560 1714 ERROR caso     resp, body = self.client.get(url, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 395, in get
2023-07-28 11:47:39.560 1714 ERROR caso     return self.request(url, 'GET', **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 554, in request
2023-07-28 11:47:39.560 1714 ERROR caso     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 257, in request
2023-07-28 11:47:39.560 1714 ERROR caso     return self.session.request(url, method, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/session.py", line 811, in request
2023-07-28 11:47:39.560 1714 ERROR caso     base_url = self.get_endpoint(auth, allow=allow,
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/session.py", line 1243, in get_endpoint
2023-07-28 11:47:39.560 1714 ERROR caso     return auth.get_endpoint(self, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/identity/base.py", line 375, in get_endpoint
2023-07-28 11:47:39.560 1714 ERROR caso     endpoint_data = self.get_endpoint_data(
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/identity/base.py", line 275, in get_endpoint_data
2023-07-28 11:47:39.560 1714 ERROR caso     endpoint_data = service_catalog.endpoint_data_for(
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/access/service_catalog.py", line 425, in endpoint_data_for
2023-07-28 11:47:39.560 1714 ERROR caso     raise exceptions.EmptyCatalog('The service catalog is empty.')
2023-07-28 11:47:39.560 1714 ERROR caso keystoneauth1.exceptions.catalog.EmptyCatalog: The service catalog is empty.
2023-07-28 11:47:39.560 1714 ERROR caso
2023-07-28 11:47:39.560 1714 ERROR caso During handling of the above exception, another exception occurred:
2023-07-28 11:47:39.560 1714 ERROR caso
2023-07-28 11:47:39.560 1714 ERROR caso Traceback (most recent call last):
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/bin/caso-extract", line 10, in <module>
2023-07-28 11:47:39.560 1714 ERROR caso     sys.exit(main())
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/src/github.com/IFCA/caso/caso/_cmd/extract.py", line 33, in main
2023-07-28 11:47:39.560 1714 ERROR caso     manager.run()
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/src/github.com/IFCA/caso/caso/manager.py", line 123, in run
2023-07-28 11:47:39.560 1714 ERROR caso     return synchronized()
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/oslo_concurrency/lockutils.py", line 414, in inner
2023-07-28 11:47:39.560 1714 ERROR caso     return f(*args, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/src/github.com/IFCA/caso/caso/manager.py", line 119, in synchronized
2023-07-28 11:47:39.560 1714 ERROR caso     records = self.extractor_manager.get_records()
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/src/github.com/IFCA/caso/caso/extract/manager.py", line 249, in get_records
2023-07-28 11:47:39.560 1714 ERROR caso     for project in self.projects:
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/src/github.com/IFCA/caso/caso/extract/manager.py", line 122, in projects
2023-07-28 11:47:39.560 1714 ERROR caso     aux = [i.id for i in self.keystone.projects.list(tags=CONF.caso_tag)]
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/v3/projects.py", line 137, in list
2023-07-28 11:47:39.560 1714 ERROR caso     projects = super(ProjectManager, self).list(
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/base.py", line 86, in func
2023-07-28 11:47:39.560 1714 ERROR caso     return f(*args, **new_kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/base.py", line 453, in list
2023-07-28 11:47:39.560 1714 ERROR caso     list_resp = self._list(url_query, self.collection_key,
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneclient/base.py", line 141, in _list
2023-07-28 11:47:39.560 1714 ERROR caso     resp, body = self.client.get(url, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 395, in get
2023-07-28 11:47:39.560 1714 ERROR caso     return self.request(url, 'GET', **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 554, in request
2023-07-28 11:47:39.560 1714 ERROR caso     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/adapter.py", line 257, in request
2023-07-28 11:47:39.560 1714 ERROR caso     return self.session.request(url, method, **kwargs)
2023-07-28 11:47:39.560 1714 ERROR caso   File "/Users/enol/.virtualenvs/caso/lib/python3.10/site-packages/keystoneauth1/session.py", line 986, in request
2023-07-28 11:47:39.560 1714 ERROR caso     raise exceptions.from_response(resp, method, url)
2023-07-28 11:47:39.560 1714 ERROR caso keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_projects. (HTTP 403) (Request-ID: req-7c73189a-b89f-4495-8cdc-d91156c922a5)
2023-07-28 11:47:39.560 1714 ERROR caso

Expected behavior:

cASO still runs even if it cannot auto-discover projects

Actual behavior

See log above

Versions

4.2.0
@enolfc enolfc mentioned this issue Jul 28, 2023
Closed
9 tasks
@alvarolopez alvarolopez mentioned this issue Sep 28, 2023
Closed
9 tasks
alvarolopez pushed a commit that referenced this issue Sep 27, 2024
@enolfc @alvarolopez
fix: do not assume admin privileges on keystone
87c78f4 
Avoid issues when running cASO with a low privileges account that cannot
list all projects and scope the tokens to the projects that are to be
accounted. This allows to run cASO and generate records for non-admin
users.

Closes #124
alvarolopez pushed a commit that referenced this issue Sep 27, 2024
@enolfc @alvarolopez
fix: do not assume admin privileges on keystone
0aba824 
Avoid issues when running cASO with a low privileges account that cannot
list all projects and scope the tokens to the projects that are to be
accounted. This allows to run cASO and generate records for non-admin
users.

Closes #124
@alvarolopez alvarolopez mentioned this issue Sep 27, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
2 participants
@alvarolopez @enolfc