LBaaS user needs permissions to POST consumers

Bug #1519170 reported by Dave McCowan on 2015-11-24
54
This bug affects 9 people
Affects Status Importance Assigned to Milestone
Barbican
Fix Released
High
Pankaj Khandar
octavia
Confirmed
High
Unassigned

Bug Description

The ACL read access list was added in part for the LBaaS user to read the containers and secrets it needs, which needing to have an admin role in the secret's project.

Unfortunately, an LBaaS user also needs to be able to POST a consumer.
Permission for this should also be available via the read ACL.

LBaaS Code Calling POST Consumer:

https://github.com/openstack/neutron-lbaas/blob/master/neutron_lbaas/common/cert_manager/barbican_cert_manager.py#L197

tags: added: liberty-backport-potential
Changed in barbican:
assignee: nobody → Adam Harwell (adam-harwell)
status: New → In Progress
Changed in barbican:
assignee: Adam Harwell (adam-harwell) → Pankaj Khandar (pankaj-khandar)
Jiahao liang (jiahao.liang) wrote :

Hi all,

How's the progress for this bug?
It seems like the bug I reported https://bugs.launchpad.net/barbican/+bug/1592612 is somehow related to this bug.
Do any of you mind check out the bug I reported? Thanks a lot.

Changed in barbican:
assignee: Pankaj Khandar (pankaj-khandar) → nobody
status: In Progress → Confirmed
Pankaj Khandar (pankaj-khandar) wrote :

Sorry Folks, I am stuck into some other priorities right now.

I ran into the same bug as Jiahao, but on liberty stable devstack: https://bugs.launchpad.net/barbican/+bug/1592612
Is there any temporary workaround until this is fixed?

Changed in octavia:
status: New → Confirmed
Teri Lu (lujsh-e) wrote :

Hi All,

Anyone is working on this bug?

Changed in barbican:
importance: Undecided → High
Changed in octavia:
importance: Undecided → High

Reviewed: https://review.openstack.org/251168
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=38ecf5b51fef1293e9c1d95d8110c50ae5997f28
Submitter: Jenkins
Branch: master

commit 38ecf5b51fef1293e9c1d95d8110c50ae5997f28
Author: Pan <email address hidden>
Date: Thu Aug 25 12:56:07 2016 -0400

    Remove consumer check for project_id to match containers

    I believe this is the correct behavior, as it would match how
    containers handles these operations. This change facilitates
    the LBaaS Barbican TLS workflow (which should be the same as
    what other services will use in the future too).

    The RBAC settings for consumer POST should be set to
    use the same ACL rules as container GET (plus admin).

    The RBAC settings for consumer DELETE should be:
     * Any user with Delete permissions on the Container
     * Any user that both: has ACL Read access to the Container; is a member
       of the project that created the Consumer being deleted

    Change-Id: Ie84784573893934c2887814a200e7386314b4f18
    Closes-Bug: #1519170

Changed in barbican:
status: Confirmed → Fix Released
Pankaj Khandar (pankaj-khandar) wrote :
Changed in barbican:
assignee: nobody → Pankaj Khandar (pankaj-khandar)

This issue was fixed in the openstack/barbican 3.0.0.0rc1 release candidate.

This issue was fixed in the openstack/barbican 3.0.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers