Log error if we cannot retrieve users

alvarolopez · alvarolopez · commit def0a9173d78 · 2021-10-29T12:40:23.000+02:00
Fixes #89
diff --git a/caso/extract/nova.py b/caso/extract/nova.py
@@ -20,6 +20,7 @@
 
 import dateutil.parser
 import glanceclient.client
+import keystoneauth1.exceptions.http
 import neutronclient.v2_0.client
 import novaclient.client
 import novaclient.exceptions
@@ -115,7 +116,13 @@ def _get_keystone_user(self, uuid):
         try:
             user = self.keystone.users.get(user=uuid)
             return user.name
-        except Exception:
+        except keystoneauth1.exceptions.http.Forbidden as e:
+            LOG.error("Unauthorized to get user")
+            LOG.exception(e)
+            return None
+        except Exception as e:
+            LOG.debug("Exception while getting user")
+            LOG.exception(e)
             return None
 
     def build_record(self, server):
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
@@ -44,26 +44,27 @@ Policy modifications
 The accounting user needs access to Keystone so as to extract the users
 information. In this case, we can can grant the user just the rights for
 listing the users adding the appropriate rules in your policy configuration.
+Depending on your configuration, you need to modify the JSON policy file
+(``/etc/keystone/policy.json``) or the YAML policy file (``/etc/keystone/policy-yaml``).
 The modifications in the policy depend on the Keystone version, please ensure
-that you are applying the correct changes.
-
-Keystone Versions from Ussuri onwards (version >= 17.0.0)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-You need to modify the ``identity:list_users`` policy in either your
-``/etc/keystone/policy.json`` or ``/etc/keystone/policy-yaml``, contaning the
-following policy rules::
-
-    "identity:list_users": "(role:admin) or (role:reader and domain_id:%(target.domain_id)s) or (role:accounting)"
-
-Keystone Versions from until Train (version < 17.0.0)
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-You need to modify the ``identity:list_users`` policy in either your
-``/etc/keystone/policy.json`` or ``/etc/keystone/policy-yaml``, contaning the
-following policy rules::
-
-      "identity:list_users": "rule:admin_required or role:accounting"
+that you are applying the correct changes as listed in the following table.
+
++-------------+------------------------------------------------------------------------------+
+|  OpenStack  |                                Policy contents                               |
+|   Version   |                                                                              |
++=============+==========+===================================================================+
+| From Stein  | Original | ``“identity:get_user”: “(role:reader and system_scope:all) or     |
+| (>= 15.0.0) |          | (role:reader and token.domain.id:%(target.user.domain_id)s) or    |
+|             |          | user_id:%(target.user.id)s”``                                     |
+|             +----------+-------------------------------------------------------------------+
+|             | Modified | ``“identity:get_user”: “(role:reader and system_scope:all) or     |
+|             |          | (role:reader and token.domain.id:%(target.user.domain_id)s) or    |
+|             |          | user_id:%(target.user.id)s or role:accounting”``                  |
++-------------+----------+-------------------------------------------------------------------+
+| Up to Rocky | Original | ``“identity:get_user”: “rule:admin_or_owner”``                    |
+| (<= 14.0.0) +----------+-------------------------------------------------------------------+
+|             | Modified | ``“identity:get_user”: “rule:admin_or_owner or role:accounting”`` |
++-------------+----------+-------------------------------------------------------------------+
 
 Publishing benchmark information for OpenStack flavors (optional)
 -----------------------------------------------------------------
diff --git a/releasenotes/notes/new-ussuri-configuration-03b764a39f461eda.yaml b/releasenotes/notes/new-ussuri-configuration-03b764a39f461eda.yaml
@@ -1,6 +1,16 @@
 ---
+fixes:
+  - | 
+    Fix an issue when getting the usernames, that caused configuration errors
+    to be unnoticed.
 other:
   - |
     Keystone versions from Ussuri onwards (>= 17.0.0) implement a new policy.
     Please check the documentation so as to ensure that you are applying the
     correct changes.
+upgrade:
+  - | 
+    Please ensure that you have the correct configuration in the policy files, 
+    as a new policy rule must be modified. The accounting user does not need to
+    have access to the "identity:list_users" action, but to the "identity:get_user"
+    action instead.
diff --git a/releasenotes/notes/reno.cache b/releasenotes/notes/reno.cache
