)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"92ccd3cf451df4226bc7e147ba1cb959bf4c9ed6","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"4a873bb5_7650a6cc","updated":"2024-08-15 18:48:46.000000000","message":"From neutron side it might not be any issue as it does not change any setting in neutron but designate enable the new RBAC with the depends-on which was disable before.\n\nFrom log[1] I can see neturon calling designate create_record_set\n\n- https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-q-svc.txt#7132\n\nand fail on Forbidden. It means designate did not allow existing neutron token to pass the new RBAC.\n\n[1]\nhttps://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-q-svc.txt#7054","commit_id":"d06a53b4e539834836cdabec8cff8f1b390c40d9"},{"author":{"_account_id":8313,"name":"Lajos Katona","display_name":"lajoskatona","email":"katonalala@gmail.com","username":"elajkat","status":"Ericsson Software Technology"},"change_message_id":"61872616982ff3701c25150c1b0402dcabdfca5e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"6ed7686b_cdc681ba","updated":"2024-08-13 09:36:40.000000000","message":"neutron-tempest-plugin-designate-scenario failure seems related (see q-svc log)","commit_id":"d06a53b4e539834836cdabec8cff8f1b390c40d9"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"e1363242eb4a3985610c308c2d9c445e58ecadd4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"f510ac82_e279b65d","updated":"2024-08-15 16:50:22.000000000","message":"recheck see if designate scenario still fails\n\nLajos, I would agree the \"designateclient.exceptions.Forbidden: forbidden\" seems related, I\u0027m only doing a recheck to see if something has changed since this was first proposed.","commit_id":"d06a53b4e539834836cdabec8cff8f1b390c40d9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"95531c6179185b036e3ccd0aaccc6fa69ef9be46","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"3b2eb781_6e47c470","in_reply_to":"0363322e_8ee3fcde","updated":"2024-08-16 18:19:08.000000000","message":"it is not create recordset which return 403, its GET zone from designate who return 403\n\n- https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-q-svc.txt#7669\n\ncomparing the old and new policy, both allow admin to access it but owner will not work as it needs to be project_member or project_reader (with project id)\n\nOld policy - https://github.com/openstack/designate/blob/50f686fcffd007506e0cd88788a668d4f57febc3/designate/common/policies/zone.py#L40\n\nNew policy - https://github.com/openstack/designate/blob/50f686fcffd007506e0cd88788a668d4f57febc3/designate/common/policies/zone.py#L134","commit_id":"d06a53b4e539834836cdabec8cff8f1b390c40d9"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"27b95e5e2da471a642d0c59bc1a285265e41649b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"b7b74c7a_b76d8f3f","in_reply_to":"3b2eb781_6e47c470","updated":"2024-08-16 20:30:08.000000000","message":"Thanks for getting this far Gmann. So from that comment I\u0027m guessing there is a bug in neutron-tempest-plugin regarding using the correct role for this test?","commit_id":"d06a53b4e539834836cdabec8cff8f1b390c40d9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"de95a876cbe869cef8bee824efba4f918c9f90c7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"0363322e_8ee3fcde","in_reply_to":"4a873bb5_7650a6cc","updated":"2024-08-15 18:52:42.000000000","message":"we fixed the system scope things in designate which merged before this and job should pick that fix but still maybe we can try to test with that as depends-on https://review.opendev.org/c/openstack/designate/+/925623 ?","commit_id":"d06a53b4e539834836cdabec8cff8f1b390c40d9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"14e28293ee3e310c67677b38c3f18cf114674fa7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"bda78041_942cdde6","in_reply_to":"937a4ca5_c8a39cfd","updated":"2024-08-22 17:52:43.000000000","message":"What I see from the log is that the admin itself is getting the error. if you see the below log its designate_admin is getting an error while creating the recordset in the designate\n\nAug 09 19:08:30.539307 np0038166723 neutron-server[86674]: ERROR neutron_lib.callbacks.manager     designate_admin.recordsets.create(in_addr_zone_name,\n- https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-q-svc.txt#7665\n\n- https://github.com/openstack/neutron/blob/b847d89ac1f922362945ad610c9787bc28f37457/neutron/services/externaldns/drivers/designate/driver.py#L92\n\nwhich is caused by the GET Zone returning 403 in designateclient\n\n- https://zuul.opendev.org/t/openstack/build/7a18c093d50242ebbea666d92c671945/log/controller/logs/screen-q-svc.txt#7674\n\nI compared the designate Zone RBAC default if any change in that causing it:\n\nOld policy: admin or owner\nNew policy: admin or project reader\n- https://github.com/openstack/designate/blob/50f686fcffd007506e0cd88788a668d4f57febc3/designate/common/policies/zone.py\n\nOnly difference in policy is if it is not admin then it check role also member and reader needs only have access. But here neutron try to access with admin role only.","commit_id":"d06a53b4e539834836cdabec8cff8f1b390c40d9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c42ecb3aedec3db092f2eb76d21d85ed44fd9990","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"cab2fcc5_0016a996","in_reply_to":"b7b74c7a_b76d8f3f","updated":"2024-08-21 04:46:57.000000000","message":"I am not sure if there is issue in test but I will check that tomorrow.","commit_id":"d06a53b4e539834836cdabec8cff8f1b390c40d9"},{"author":{"_account_id":11975,"name":"Slawek Kaplonski","email":"skaplons@redhat.com","username":"slaweq"},"change_message_id":"932b3104268889ea40a19c6a6367b0f586c6f045","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"937a4ca5_c8a39cfd","in_reply_to":"b7b74c7a_b76d8f3f","updated":"2024-08-22 12:51:35.000000000","message":"I think this may be bug in Neutron and what token we are using to send requests to designate. Probably we need to use Admin user for that now but I will need to check it.\n\nI will check it next week and will open bug for that if this is how I suppose it is.","commit_id":"d06a53b4e539834836cdabec8cff8f1b390c40d9"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"c727e49d63c0c65ee54504d17c9bdaddc360e715","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"8817e1fe_9b858fc8","in_reply_to":"bda78041_942cdde6","updated":"2024-08-23 18:56:42.000000000","message":"I pushed the debugging patch and it seems no admin client is able to create the recordset - https://zuul.opendev.org/t/openstack/build/25be97774e3a4d72a39eb6b2d2bed4a0/log/controller/logs/screen-q-svc.txt#7576\n\nI think admin client is not able to see the zone from other projects. I can see \u0027all_projects\u0027: False in admin client request\n\n- https://zuul.opendev.org/t/openstack/build/25be97774e3a4d72a39eb6b2d2bed4a0/log/controller/logs/screen-q-svc.txt#7716","commit_id":"d06a53b4e539834836cdabec8cff8f1b390c40d9"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"a4a36de1336fc1de66c6f41627b4c0b7b387a5c2","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"c1e08bfa_809f7adb","updated":"2024-08-15 22:28:17.000000000","message":"Seems to have the same 11 failures 😞","commit_id":"6db1f7f682e398c4f8051f1908c8e9014e4c5bd5"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"d161bb49968a1932d13c6ae4b8e840e9a9b4a0ec","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"c25e1427_3cd1b058","updated":"2024-08-15 21:41:53.000000000","message":"The designate scenario job is still failing 11 tests. What\u0027s strange is the designate gate seems to run the same job, so I\u0027m not sure if it\u0027s a configuration issue between the two. I do see some 403 responses in the designate-api log, but there\u0027s no extra data there, and I don\u0027t see those in jobs in the designate gate, for example, https://review.opendev.org/c/openstack/designate/+/925623\n\nNot sure exactly where to look for next steps.","commit_id":"6db1f7f682e398c4f8051f1908c8e9014e4c5bd5"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"d41cfccc9475088f653b2352f6a467ad5c54d007","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"e475a62b_27683a98","in_reply_to":"c1e08bfa_809f7adb","updated":"2024-08-16 02:04:32.000000000","message":"I am fixing the designate-tempest-plugin tests in this https://review.opendev.org/c/openstack/designate-tempest-plugin/+/926455\n\nthat will show if any issue on designate side policy or some tests we need to fix in neutron-tempest-plugin also","commit_id":"6db1f7f682e398c4f8051f1908c8e9014e4c5bd5"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"dfdab3f1634e052b1faa2c9c852ad320eaecf98e","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"bf1a57a6_dc191aec","in_reply_to":"c25e1427_3cd1b058","updated":"2024-08-15 21:50:30.000000000","message":"designate change 925623 actually does not test with latest oslo.policy. that still use oslo.policy \u003c4.4.0 which does not have these setting.\n\nAnother testing change I pushed which should capture the same failure -  https://review.opendev.org/c/openstack/designate/+/926446","commit_id":"6db1f7f682e398c4f8051f1908c8e9014e4c5bd5"},{"author":{"_account_id":1131,"name":"Brian Haley","email":"haleyb.dev@gmail.com","username":"brian-haley"},"change_message_id":"4839a24ed990fb981fe80a3fe4ba51a4cfbf6d8a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"a2c91f7d_dc56bf59","updated":"2024-09-03 15:19:06.000000000","message":"With the designate change all looks good!","commit_id":"0058f76514e1a0ae4c1938d099c015f307ed1aad"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"732c2608371b5eb3a868ac64c76bb5bd6f7be672","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"1c48b97c_f4496da2","updated":"2024-09-03 19:08:01.000000000","message":"this is ready, depends-on is merged now","commit_id":"0058f76514e1a0ae4c1938d099c015f307ed1aad"}]}