nova-api returning 403 when trying simple_usage:show

Bug #1122267 reported by Jacob Godin
24
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Vish Ishaya

Bug Description

When trying to run 'nova usage' as a tenant user (not global admin), nova API returns a permission denied. Other commands work fine:

# nova --debug --os-username **** --os-password **** --os-auth-url http://10.150.0.50:5000/v2.0 --os-tenant-name Test list

REQ: curl -i http://10.150.0.50:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "Test", "passwordCredentials": {"username": "****", "password": "****"}}}'

2013-02-11T11:33:14.311489 POST http://10.150.0.50:5000/v2.0/tokens
RESP: [200] {'date': 'Mon, 11 Feb 2013 15:33:14 GMT', 'transfer-encoding': 'chunked', 'content-type': 'application/json', 'vary': 'X-Auth-Token'}
RESP BODY: {"access": {"token": {"issued_at": "2013-02-11T15:33:14.609679", "expires": "2013-02-12T15:33:14Z", "id": "cf419f21e8cd438b9a030ce3a8b7530e", "tenant": {"enabled": true, "description": "Test project", "name": "Test", "id": "951f2ba7f0c44ae6a38ea7a9db3897b2"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2", "region": "regionOne", "internalURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2", "id": "833c5093f72242148e869141520e25a3", "publicURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2"}], "endpoints_links": [], "type": "volume", "name": "cinder"}, {"endpoints": [{"adminURL": "http://10.150.0.55:9292/v2.0", "region": "regionOne", "internalURL": "http://10.150.0.55:9292/v2.0", "id": "c96acff633654ce09a7ba313f5519479", "publicURL": "http://10.150.0.55:9292/v2.0"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2", "region": "regionOne", "internalURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2", "id": "772c4e148207417fa8570fd1a603831e", "publicURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://10.150.0.54:9696/", "region": "regionOne", "internalURL": "http://10.150.0.54:9696/", "id": "5be6e02433ad4c1893197a87bb819122", "publicURL": "http://10.150.0.54:9696/"}], "endpoints_links": [], "type": "network", "name": "quantum"}, {"endpoints": [{"adminURL": "http://10.150.0.50:35357/v2.0", "region": "regionOne", "internalURL": "http://10.150.0.50:5000/v2.0", "id": "c369f78d641d4a5e95f6e14fe6cead20", "publicURL": "http://10.150.0.50:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "****", "roles_links": [], "id": "72cac1a7fcd84d1b9bf0f4147aaff2b2", "roles": [{"name": "client_admin"}], "name": "****"}, "metadata": {"is_admin": 0, "roles": ["88455a8088144fcdbeafba03a86bcd38"]}}}

REQ: curl -i http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/detail -X GET -H "X-Auth-Project-Id: Test" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: cf419f21e8cd438b9a030ce3a8b7530e"

2013-02-11T11:33:14.709276 GET http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/detail
RESP: [200] {'date': 'Mon, 11 Feb 2013 15:33:14 GMT', 'x-compute-request-id': 'req-939ec1b3-90b6-4806-a218-1c54e8f6771e', 'content-type': 'application/json', 'content-length': '4258'}
RESP BODY: {"servers": [{"status": "ACTIVE", "updated": "2013-02-07T18:27:34Z", "hostId": "5f0cc9a1c6bce02653a923caf7d4f3d42c9a4a968e1c51b0367c0ba9", "addresses": {"Test Net": [{"version": 4, "addr": "10.0.0.5"}]}, "links": [{"href": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/af0de6f2-105a-40e8-a460-66dd08ebea3a", "rel": "self"}, {"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/af0de6f2-105a-40e8-a460-66dd08ebea3a", "rel": "bookmark"}], "key_name": null, "image": {"id": "cb992958-fed1-4bd3-be75-a629229573d8", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/images/cb992958-fed1-4bd3-be75-a629229573d8", "rel": "bookmark"}]}, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "active", "flavor": {"id": "54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/flavors/54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28", "rel": "bookmark"}]}, "id": "af0de6f2-105a-40e8-a460-66dd08ebea3a", "security_groups": [{"name": "default"}], "OS-EXT-AZ:availability_zone": null, "user_id": "72cac1a7fcd84d1b9bf0f4147aaff2b2", "name": "Ubuntu", "created": "2013-02-07T18:27:11Z", "tenant_id": "951f2ba7f0c44ae6a38ea7a9db3897b2", "OS-DCF:diskConfig": "MANUAL", "OS-EXT-AZ:host_availability_zone": "nova", "accessIPv4": "", "accessIPv6": "", "progress": 0, "OS-EXT-STS:power_state": 1, "config_drive": "", "metadata": {}}, {"status": "ACTIVE", "updated": "2013-02-06T19:54:07Z", "hostId": "5f0cc9a1c6bce02653a923caf7d4f3d42c9a4a968e1c51b0367c0ba9", "addresses": {"Test Net": [{"version": 4, "addr": "10.0.0.4"}]}, "links": [{"href": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/3484738c-ea09-45ed-9d87-db1d75f8533d", "rel": "self"}, {"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/3484738c-ea09-45ed-9d87-db1d75f8533d", "rel": "bookmark"}], "key_name": null, "image": {"id": "786654b5-dab6-4448-80ee-a15e810a31a2", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/images/786654b5-dab6-4448-80ee-a15e810a31a2", "rel": "bookmark"}]}, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "active", "flavor": {"id": "54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/flavors/54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28", "rel": "bookmark"}]}, "id": "3484738c-ea09-45ed-9d87-db1d75f8533d", "security_groups": [{"name": "default"}], "OS-EXT-AZ:availability_zone": null, "user_id": "72cac1a7fcd84d1b9bf0f4147aaff2b2", "name": "Test2", "created": "2013-02-05T20:10:10Z", "tenant_id": "951f2ba7f0c44ae6a38ea7a9db3897b2", "OS-DCF:diskConfig": "MANUAL", "OS-EXT-AZ:host_availability_zone": "nova", "accessIPv4": "", "accessIPv6": "", "progress": 0, "OS-EXT-STS:power_state": 1, "config_drive": "", "metadata": {}}, {"status": "PAUSED", "updated": "2013-02-11T15:05:34Z", "hostId": "5f0cc9a1c6bce02653a923caf7d4f3d42c9a4a968e1c51b0367c0ba9", "addresses": {"Test Net": [{"version": 4, "addr": "10.0.0.3"}]}, "links": [{"href": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/3d14ef64-be16-47b6-9378-8bacba50bf91", "rel": "self"}, {"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/3d14ef64-be16-47b6-9378-8bacba50bf91", "rel": "bookmark"}], "key_name": null, "image": {"id": "786654b5-dab6-4448-80ee-a15e810a31a2", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/images/786654b5-dab6-4448-80ee-a15e810a31a2", "rel": "bookmark"}]}, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "paused", "flavor": {"id": "54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/flavors/54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28", "rel": "bookmark"}]}, "id": "3d14ef64-be16-47b6-9378-8bacba50bf91", "security_groups": [{"name": "default"}], "OS-EXT-AZ:availability_zone": null, "user_id": "72cac1a7fcd84d1b9bf0f4147aaff2b2", "name": "Test", "created": "2013-02-04T23:55:55Z", "tenant_id": "951f2ba7f0c44ae6a38ea7a9db3897b2", "OS-DCF:diskConfig": "MANUAL", "OS-EXT-AZ:host_availability_zone": "nova", "accessIPv4": "", "accessIPv6": "", "OS-EXT-STS:power_state": 3, "config_drive": "", "metadata": {}}]}

+--------------------------------------+--------+--------+-------------------+
| ID | Name | Status | Networks |
+--------------------------------------+--------+--------+-------------------+
| 3d14ef64-be16-47b6-9378-8bacba50bf91 | Test | PAUSED | Test Net=10.0.0.3 |
| 3484738c-ea09-45ed-9d87-db1d75f8533d | Test2 | ACTIVE | Test Net=10.0.0.4 |
| af0de6f2-105a-40e8-a460-66dd08ebea3a | Ubuntu | ACTIVE | Test Net=10.0.0.5 |
+--------------------------------------+--------+--------+-------------------+

# nova --debug --os-username **** --os-password **** --os-auth-url http://10.150.0.50:5000/v2.0 --os-tenant-name Test usage

REQ: curl -i http://10.150.0.50:5000/v2.0/tokens -X POST -H "Content-Type: application/json" -H "Accept: application/json" -H "User-Agent: python-novaclient" -d '{"auth": {"tenantName": "Test", "passwordCredentials": {"username": "****", "password": "****"}}}'

2013-02-11T11:34:06.746585 POST http://10.150.0.50:5000/v2.0/tokens
RESP: [200] {'date': 'Mon, 11 Feb 2013 15:34:06 GMT', 'transfer-encoding': 'chunked', 'content-type': 'application/json', 'vary': 'X-Auth-Token'}
RESP BODY: {"access": {"token": {"issued_at": "2013-02-11T15:34:06.851813", "expires": "2013-02-12T15:34:06Z", "id": "7445ce457df04111adc776855dd5df26", "tenant": {"enabled": true, "description": "Test project", "name": "Test", "id": "951f2ba7f0c44ae6a38ea7a9db3897b2"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2", "region": "regionOne", "internalURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2", "id": "833c5093f72242148e869141520e25a3", "publicURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2"}], "endpoints_links": [], "type": "volume", "name": "cinder"}, {"endpoints": [{"adminURL": "http://10.150.0.55:9292/v2.0", "region": "regionOne", "internalURL": "http://10.150.0.55:9292/v2.0", "id": "c96acff633654ce09a7ba313f5519479", "publicURL": "http://10.150.0.55:9292/v2.0"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2", "region": "regionOne", "internalURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2", "id": "772c4e148207417fa8570fd1a603831e", "publicURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://10.150.0.54:9696/", "region": "regionOne", "internalURL": "http://10.150.0.54:9696/", "id": "5be6e02433ad4c1893197a87bb819122", "publicURL": "http://10.150.0.54:9696/"}], "endpoints_links": [], "type": "network", "name": "quantum"}, {"endpoints": [{"adminURL": "http://10.150.0.50:35357/v2.0", "region": "regionOne", "internalURL": "http://10.150.0.50:5000/v2.0", "id": "c369f78d641d4a5e95f6e14fe6cead20", "publicURL": "http://10.150.0.50:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "****", "roles_links": [], "id": "72cac1a7fcd84d1b9bf0f4147aaff2b2", "roles": [{"name": "client_admin"}], "name": "****"}, "metadata": {"is_admin": 0, "roles": ["88455a8088144fcdbeafba03a86bcd38"]}}}

REQ: curl -i http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/os-simple-tenant-usage/951f2ba7f0c44ae6a38ea7a9db3897b2?start=2013-01-14T15:34:06.871236&end=2013-02-12T15:34:06.871236 -X GET -H "X-Auth-Project-Id: Test" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: 7445ce457df04111adc776855dd5df26"

2013-02-11T11:34:06.872623 GET http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/os-simple-tenant-usage/951f2ba7f0c44ae6a38ea7a9db3897b2?start=2013-01-14T15:34:06.871236&end=2013-02-12T15:34:06.871236
RESP: [403] {'date': 'Mon, 11 Feb 2013 15:34:06 GMT', 'content-length': '78', 'content-type': 'application/json; charset=UTF-8', 'x-compute-request-id': 'req-30abfdd5-7d81-4c53-bbc6-83212df448bc'}
RESP BODY: {"forbidden": {"message": "User does not have admin privileges", "code": 403}}

DEBUG (shell:732) User does not have admin privileges (HTTP 403) (Request-ID: req-30abfdd5-7d81-4c53-bbc6-83212df448bc)
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/novaclient/shell.py", line 729, in main
    OpenStackComputeShell().main(sys.argv[1:])
  File "/usr/lib/python2.7/dist-packages/novaclient/shell.py", line 665, in main
    args.func(self.cs, args)
  File "/usr/lib/python2.7/dist-packages/novaclient/v1_1/shell.py", line 2113, in do_usage
    usage = cs.usage.get(cs.client.tenant_id, start, end)
  File "/usr/lib/python2.7/dist-packages/novaclient/v1_1/usage.py", line 48, in get
    "tenant_usage")
  File "/usr/lib/python2.7/dist-packages/novaclient/base.py", line 140, in _get
    _resp, body = self.api.client.get(url)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 231, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 218, in _cs_request
    **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 200, in _time_request
    resp, body = self.request(url, method, **kwargs)
  File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 194, in request
    raise exceptions.from_response(resp, body, url, method)
Forbidden: User does not have admin privileges (HTTP 403) (Request-ID: req-30abfdd5-7d81-4c53-bbc6-83212df448bc)
ERROR: User does not have admin privileges (HTTP 403) (Request-ID: req-30abfdd5-7d81-4c53-bbc6-83212df448bc)

policy.json has proper rule:
    "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner",

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/21673

Changed in nova:
assignee: nobody → Vish Ishaya (vishvananda)
status: New → In Progress
Changed in nova:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/21673
Committed: http://github.com/openstack/nova/commit/394713eaef63f28f5ea298aeac4ae1f7c76fa167
Submitter: Jenkins
Branch: master

commit 394713eaef63f28f5ea298aeac4ae1f7c76fa167
Author: Vishvananda Ishaya <email address hidden>
Date: Mon Feb 11 10:06:36 2013 -0800

    Fix regression in non-admin simple_usage:show.

    Commit 6ff32210772a67a1b526d9d784030afc90f3ce99 optimized the db query
    for usage but replaced a call that had require_context with one that
    had require_admin_context. This causes usage show to throw a 403. We
    check for admin_or_owner in policy, so there is no need to check for
    admin context at the db layer.

    Fixes bug 1122267

    Change-Id: Iff362f46d83a710f3883538bcb646e3457e0ba64

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → grizzly-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: grizzly-3 → 2013.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.