VM actions fail (at neutron) with service_token_roles_required=true
Summary
After !3229 (merged) merged all services have set service_token_roles_required=true, but nova-compute has no access to neutron anymore, so VM actions regarding neutron are failing (including creation/deletion)
Detailed Description
All OpenStack services now have set service_token_roles_required=true at yaook.
Nova-compute pods have a OpenStack user with role nova-compute.
This role is not in service_token_roles at all services it is needed.
Steps to reproduce the issue
- Update or create a yaook cluster with a version containing !3229 (merged)
- Wait till neutron api is updated
- Try to create or delete a VM
Result
VM creation fails.
The nova-compute logs something like
Failed to deallocate network for instance. Error: Networking client is experiencing an unauthorized exception
'message': 'Networking client is experiencing an unauthorized exception.', 'class': 'NeutronAdminCredentialConfigurationInvalidExpected Result
VM creation and deletion works
Additional Information
Most services have the role admin assigned, so they have no issue for now.
Docs about service token at cinder: https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html#receive-service-token
neutron example conf (search for service_token_roles): https://docs.openstack.org/neutron/latest/configuration/samples/neutron.html
Resolution
- Manually set
[admin,nova-compute]at settingservice_token_rolesin neutron.conf - OR set service_token_roles_required=false
Proposal
- Add role
nova-computeto settingservice_token_rolesin neutron.conf
Specification
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this issue are to be interpreted in the spirit of RFC 2119, even though we're not technically doing protocol design.
- The roles assigned to OpenStack services MUST be included in
service_token_rolesof the services used/talked to by the specific services