neutron

--disable-snat on tenant router raises 404

Bug #1296953 reported by Aaron Rosen
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
In Progress
Low
Hong Hui Xiao

Bug Description

arosen@arosen-desktop:~/devstack$ neutron router-create aaa
nCreated a new router:
+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| admin_state_up | True |
| distributed | False |
| external_gateway_info | |
| id | add4d46b-5036-4a96-af7e-8ceb44f9ab3d |
| name | aaa |
| routes | |
| status | ACTIVE |
| tenant_id | 4ec9de7eae7445719e8f67f2f9d78aae |
+-----------------------+--------------------------------------+
arosen@arosen-desktop:~/devstack$ neutron router-gateway-set --disable-snat aaa public
The resource could not be found.

2014-03-24 14:06:12.444 DEBUG neutron.policy [req-19762248-9964-4ad3-9ce9-de68d4cc4e49 demo 4ec9de7eae7445719e8f67f2f9d78aae] Failed policy check for 'update_router' from (pid=7068) enforce /opt/stack/neutron/neutron/policy.py:381
2014-03-24 14:06:12.444 ERROR neutron.api.v2.resource [req-19762248-9964-4ad3-9ce9-de68d4cc4e49 demo 4ec9de7eae7445719e8f67f2f9d78aae] update failed
2014-03-24 14:06:12.444 TRACE neutron.api.v2.resource Traceback (most recent call last):
2014-03-24 14:06:12.444 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/resource.py", line 87, in resource
2014-03-24 14:06:12.444 TRACE neutron.api.v2.resource result = method(request=request, **args)
2014-03-24 14:06:12.444 TRACE neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 494, in update
2014-03-24 14:06:12.444 TRACE neutron.api.v2.resource raise webob.exc.HTTPNotFound(msg)
2014-03-24 14:06:12.444 TRACE neutron.api.v2.resource HTTPNotFound: The resource could not be found.
2014-03-24 14:06:12.444 TRACE neutron.api.v2.resource
2014-03-24 14:06:12.445 INFO neutron.wsgi [req-19762248-9964-4ad3-9ce9-de68d4cc4e49 demo 4ec9de7eae7445719e8f67f2f9d78aae] 10.24.114.91 - - [24/Mar/2014 14:06:12] "PUT /v2.0/routers/add4d46b-5036-4a96-af7e-8ceb44f9ab3d.json HTTP/1.1" 404 248 0.039626

In the code we do:

        try:
            policy.enforce(request.context,
                           action,
                           orig_obj)
        except exceptions.PolicyNotAuthorized:
            # To avoid giving away information, pretend that it
            # doesn't exist
            msg = _('The resource could not be found.')
            raise webob.exc.HTTPNotFound(msg)

it would be nice if we were smarter about this an raise not authorized instead of not found.

Sridhar Gaddam (sridhargaddam)
Changed in neutron:
assignee: nobody → Sridhar Gaddam (sridhargaddam)
Sridhar Gaddam (sridhargaddam)
Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/85682

Kyle Mestery (mestery)
Changed in neutron:
importance: Undecided → Low
Revision history for this message
Sridhar Gaddam (sridhargaddam) wrote :

I would like to seek the opinion from other developers/Core-Developers about the comments from enikanorov on the patch - https://review.openstack.org/#/c/85682/

I agree that from a Security POV giving away information is not a good idea - more so when dealing with login servers/authentication. Here in this bug, IMHO we are providing relevant information when there is a policy violation.
The user is an authenticated user and the error code is to inform that a particular operation is not permitted.

Please feel free to agree/dis-agree or correct me on this. Thank you.

Sridhar Gaddam (sridhargaddam)
Changed in neutron:
status: In Progress → Opinion
Revision history for this message
Kodiak Firesmith (kfiresmith) wrote :

Am I right to understand that '--disable-snat' is an Admin-level task then? Perhaps it should be made more clear in the command help for 'router-gateway-set', as generally I understood it to be that you set the gateway as a member of the tenant receiving the router rather than as a global Admin in Openstack.

Armando Migliaccio (armando-migliaccio)
Changed in neutron:
status: Opinion → New
assignee: Sridhar Gaddam (sridhargaddam) → nobody
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

I believe it's a matter of changing the wording of the message to suggest that authN check could also trigger the error.

tags: added: api low-hanging-fruit usability
Hong Hui Xiao (xiaohhui)
Changed in neutron:
assignee: nobody → Hong Hui Xiao (xiaohhui)
Revision history for this message
Hong Hui Xiao (xiaohhui) wrote :

It has been a long time since this bug. Things have changed.

First of all, I agree with @enikanorov in [1]. I don't think it is a good way to just show HTTP 403 to a normal user for the resource that he should not know, like the resource in other tenants.

If user wants to update a resource that he can see but don't have policy_authorized for, neutron should report a HTTP 403. Patch [2] and [3] have fixed this. So, with the latest code, I can see the error "disallowed by policy" when I run "neutron router-gateway-set --disable-snat aaa public"

However, during the investigation, I found that I can run "neutron router-gateway-set aaa public" with default policy file. So I will submit a minor patch to address the default policy problem.

[1] https://review.openstack.org/#/c/85682/
[2] https://review.openstack.org/#/c/123673/
[3] https://review.openstack.org/#/c/112150/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/240002

Changed in neutron:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (master)

Change abandoned by Hong Hui Xiao (<email address hidden>) on branch: master
Review: https://review.openstack.org/240002
Reason: This might be designed to be this way according to the tempest. Allow user to create a basic connection between router and external network, however, let admin to do other things.

Revision history for this message
Hong Hui Xiao (xiaohhui) wrote :

More thinking about this bug. The inconsistency might be designed to be this way according to the tempest. Allow user to create a basic connection between router and external network, however, let admin to do other things.

The original bug in the description is resolved by Bug #1352907, so mark duplicated with it.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.