search

CCI-MOC / moc-openstack-tools

Tools for OpenStack administration, user/project management, etc.
Apache License 2.0
0 stars 8 forks source link

check-approved-requests.py partially fails. #92

Closed greyspectrum closed 6 years ago

greyspectrum commented 6 years ago

The check approved requests script is failing to write to the "Helpdesk Notified" column in the requests Google Sheet. Since addusers.py will only create approved accounts when the "Helpdesk Notified" column has been filled, this would explain why addusers.py recently failed to run from the crontab.

[moc-tools@helpdesk-vm production]$ python check-approved-requests.py
Traceback (most recent call last):
  File "check-approved-requests.py", line 318, in <module>
    check_requests('Access', auth_file, worksheet_key)
  File "check-approved-requests.py", line 285, in check_requests
    timestamp_spreadsheet(sheet, timestamp, processed_rows, column=1)
  File "check-approved-requests.py", line 206, in timestamp_spreadsheet
    batch.execute()
  File "/usr/lib/python2.7/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/googleapiclient/http.py", line 842, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://sheets.googleapis.com/v4/spreadsheets/1J32SU5HunV5fhff4deathB5IsAIPtCOTWRZuSQFqns0:batchUpdate?alt=json returned "The caller does not have permission">

Update: the same thing happens with addusers.py. So, it creates the user account and the project, but fails to move the spreadsheet entry to the "current users" spreadsheet. So, it appears to be the same write access failure problem.

Traceback (most recent call last):
  File "/usr/local/src/moc-tools/production/addusers.py", line 481, in <module>
    sheet.append_rows(copy_rows, target="Current Users")
  File "/usr/local/src/moc-tools/production/spreadsheet.py", line 188, in append_rows
    return req.execute()
  File "/usr/lib/python2.7/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/googleapiclient/http.py", line 842, in execute
    raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://sheets.googleapis.com/v4/spreadsheets/1J32SU5HunV5fhff4deathB5IsAIPtCOTWRZuSQFqns0/values/Current%20Users%21A1:append?alt=json&insertDataOption=INSERT_ROWS&valueInputOption=RAW returned "The caller does not have permission">
greyspectrum commented 6 years ago

This issue is now fixed. The problem was that the permissions on the access requests spreadsheet were changed, so that the Google service account (which exposes the API) only had read access. After changing this back, check-approved-requests.py and addusers.py ran successfully from cron. This also fixes issue #88. I am closing this issue.