neutron

FWaaS - incorrect behavior in creating firewall with unavailable firewall_policy

Bug #1408236 reported by Yushiro FURUKAWA
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Yushiro FURUKAWA
neutron 7.0.0 "liberty"

Bug Description

When creating firewall with following conditions, current neutron behaves as follows:

[How to reproduce]
    step1. Create firewall-policy with following attributes(CLI/REST-API):
      => shared : false
      => tenant_id : admin-tenant
      ex.
      $ source openrc admin admin
      $ neutron firewall-policy-create policy-admin

  step2. Create firewall with following attributes(execute REST-API):
      => tenant_id : general-user-tenant
      => firewall_policy_id : specify the id which is created at step1.

      ex.
      $ source openrc demo demo
      $ export TOKEN=`keystone token-get | grep ' id ' | get_field 2`
      $ curl -i -X POST -d '{"firewall":{"firewall_policy_id": "05b28301-d7f8-4dbe-9cf0-ef33b6648ae8", "name":"firewall-demo"}}' -H "content-type: application/json" -H "x-auth-token: $TOKEN" http://localhost:9696/v2.0/fw/firewalls

[Response]
  {
    "NeutronError": {
      "message": "Firewall Policy 05b28301-d7f8-4dbe-9cf0-ef33b6648ae8 could not be found.",
      "type": "FirewallPolicyNotFound",
      "detail": ""
    }
  }

Response is the above. That is, general-user doesn't have the authorizations to refer
the firewall-policy exists on admin tenant.
BUT, the firewall is created at general-user-tenant.

[Status]
$ source openrc demo demo
$ neutron firewall-show firewall-demo
+--------------------+--------------------------------------+
| Field | Value |
+--------------------+--------------------------------------+
| admin_state_up | True |
| description | |
| firewall_policy_id | 05b28301-d7f8-4dbe-9cf0-ef33b6648ae8 |
| id | cdfbbcb5-7d2f-4819-ad60-e73cb8de02ad |
| name | firewall-demo |
| router_ids | |
| status | PENDING_CREATE |
| tenant_id | 8241aeed3bf84489b545a3329a6f54b8 |
+--------------------+--------------------------------------+

And that, only the user who has the access authorizations into the firewall_policy can delete this resource.
In the above case, the general user can not delete the firewall resource.

See original description
Tags: fwaas
Yushiro FURUKAWA (y-furukawa-2)
Changed in neutron:
assignee: nobody → Yushiro FURUKAWA (y-furukawa-2)
status: New → In Progress
Yushiro FURUKAWA (y-furukawa-2)
tags: added: fwaas
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-fwaas (master)

Fix proposed to branch: master
Review: https://review.openstack.org/147396

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/157355

Yushiro FURUKAWA (y-furukawa-2)
summary: - incorrect behavior in creating firewall with unavailable firewall_policy
+ FWaaS - incorrect behavior in creating firewall with unavailable
+ firewall_policy
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.openstack.org/157355
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e5cdaf22f82f1aac429e815d72123e3333bacd5d
Submitter: Jenkins
Branch: master

commit e5cdaf22f82f1aac429e815d72123e3333bacd5d
Author: Yushiro FURUKAWA <email address hidden>
Date: Thu Feb 19 19:11:27 2015 +0900

    Enable to specify context on POST requests during unittests

    NeutronDbPluginV2TestCase has a method 'new_create_request'
    to send 'POST' request. But, it doesn't have a argument 'context'.
    So, we can not execute create-test as a tenant-user(NOT admin user)

      e.g. FWaaS resources can not test with the context in creating.

    This fix enables to specify 'context' when executing new_create_request.

    Closes-Bug: #1423470
    Related-Bug: #1408236
    Change-Id: Id8dc8cff87ca658e86c192b8da047f0c62989a4e

Yushiro FURUKAWA (y-furukawa-2)
description: updated
Yushiro FURUKAWA (y-furukawa-2)
description: updated
Kyle Mestery (mestery)
Changed in neutron:
importance: Undecided → Medium
milestone: none → liberty-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-fwaas (master)

Reviewed: https://review.openstack.org/147396
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas/commit/?id=ba861cf9b9fd345626e2c4e9d3307b74825d5eea
Submitter: Jenkins
Branch: master

commit ba861cf9b9fd345626e2c4e9d3307b74825d5eea
Author: Yushiro FURUKAWA <email address hidden>
Date: Fri Jan 9 15:33:46 2015 +0900

    Insert validation in creating/updating firewall

    This commit adds the validation when creating/updating the firewall.
    It checks the "firewall_policy_id" is referable or not
    by a tenant user.

    Closes-Bug: #1408236
    Depends-On: Id8dc8cff87ca658e86c192b8da047f0c62989a4e
    Change-Id: I836d89d077ca25631269604d944485d100281411

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (neutron-pecan)

Related fix proposed to branch: neutron-pecan
Review: https://review.openstack.org/185072

Thierry Carrez (ttx)
Changed in neutron:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: liberty-1 → 7.0.0
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/365990

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.