OpenStack Compute (nova)

Regular user can't boot with requested ip

Bug #1048869 reported by Vish Ishaya
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Vish Ishaya
OpenStack Compute (nova) 2012.2 "folsom"

Bug Description

The os-networks extension allows a user to request a network and ip when booting, but it fails with a stack trace reporting AdminRequired. This is not an explicit check but a side-effect of an unused call in the validate_networks code.

DEBUG (shell:534) User does not have admin privileges
Traceback (most recent call last):

  File "/opt/stack/nova/nova/openstack/common/rpc/amqp.py", line 275, in _process_data
    rval = self.proxy.dispatch(ctxt, version, method, **args)

  File "/opt/stack/nova/nova/openstack/common/rpc/dispatcher.py", line 145, in dispatch
    return getattr(proxyobj, method)(ctxt, **kwargs)

  File "/opt/stack/nova/nova/network/manager.py", line 262, in wrapped
    return func(self, context, *args, **kwargs)

  File "/opt/stack/nova/nova/network/manager.py", line 1684, in validate_networks
    for network_uuid, address in networks:

  File "/opt/stack/nova/nova/network/manager.py", line 1709, in _get_networks_by_uuids
    @wrap_check_policy

  File "/opt/stack/nova/nova/db/api.py", line 820, in network_get_all_by_uuids
    return IMPL.network_get_all_by_uuids(context, network_uuids, project_id)

  File "/opt/stack/nova/nova/db/sqlalchemy/api.py", line 112, in wrapper
    raise exception.AdminRequired()

AdminRequired: User does not have admin privileges
 (HTTP 403) (Request-ID: req-164604d1-32da-498b-ab8d-23d4ed7ef56f)
Traceback (most recent call last):
  File "/opt/stack/python-novaclient/novaclient/shell.py", line 531, in main
    OpenStackComputeShell().main(sys.argv[1:])
  File "/opt/stack/python-novaclient/novaclient/shell.py", line 467, in main
    args.func(self.cs, args)
  File "/opt/stack/python-novaclient/novaclient/v1_1/shell.py", line 227, in do_boot
    server = cs.servers.create(*boot_args, **boot_kwargs)
  File "/opt/stack/python-novaclient/novaclient/v1_1/servers.py", line 498, in create
    **boot_kwargs)
  File "/opt/stack/python-novaclient/novaclient/v1_1/base.py", line 159, in _boot
    return_raw=return_raw, **kwargs)
  File "/opt/stack/python-novaclient/novaclient/base.py", line 148, in _create
    _resp, body = self.api.client.post(url, body=body)
  File "/opt/stack/python-novaclient/novaclient/client.py", line 210, in post
    return self._cs_request(url, 'POST', **kwargs)
  File "/opt/stack/python-novaclient/novaclient/client.py", line 194, in _cs_request
    **kwargs)
  File "/opt/stack/python-novaclient/novaclient/client.py", line 176, in _time_request
    resp, body = self.request(url, method, **kwargs)
  File "/opt/stack/python-novaclient/novaclient/client.py", line 170, in request
    raise exceptions.from_response(resp, body)
Forbidden: User does not have admin privileges

Revision history for this message
Vish Ishaya (vishvananda) wrote :

Note that you can lock down the ability for using this by setting a policy for validate_networks.

Changed in nova:
status: New → In Progress
importance: Undecided → High
assignee: nobody → Vish Ishaya (vishvananda)
milestone: none → folsom-rc1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/12749

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/12749
Committed: http://github.com/openstack/nova/commit/7937144fce54570b2da543663e6ee5e64b1c3cdb
Submitter: Jenkins
Branch: master

commit 7937144fce54570b2da543663e6ee5e64b1c3cdb
Author: Vishvananda Ishaya <email address hidden>
Date: Fri Sep 14 00:21:03 2012 +0000

    Clean up handling of project_only in network_get

    There was some funky logic for getting networks to work around
    the project only decorator. This changes the code to match what
    we actually want which is:

    In Flat and FlatDHCP mode non-admins should be able to access
    networks that belong to their project or networks that have no
    project_id assigned.

    In VlanManager, project_id=None projects should not be accessible
    as this means the project hasn't been assigned yet. The assignment
    is done with an elevated context.

    This patch adds some logic to model_query to allow None in the
    project_only filter and makes network_get_all_by_uuids and
    network_get use it.

    fixes bug 1048869

    Change-Id: I5377cea87dec8e9d0d9cec84e07128c5c6e8dca3

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: folsom-rc1 → 2012.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.