OpenStack Compute (nova)

non-admin user can't add new fixed ip to the VM by os-multinic api

Bug #1432455 reported by Alex Xu on 2015-03-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Low	lvmxh	OpenStack Compute (nova) 12.0.0 "liberty"

Bug Description

When non-admin user add new nic to the vm by:

alex@hp-pc:/opt/stack/nova$ nova --debug add-fixed-ip vm1 12d4bedb-77fb-44da-b6d6-6c52e7606c02

will get error as below:

2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher Traceback (most recent call last):
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 142, in _dispatch_and_reply
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher executor_callback))
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 186, in _dispatch
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher executor_callback)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/dispatcher.py", line 130, in _do_dispatch
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher result = func(ctxt, **new_args)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/network/manager.py", line 778, in add_fixed_ip_to_instance
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher self._allocate_fixed_ips(context, instance_id, host, [network])
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/network/manager.py", line 194, in _allocate_fixed_ips
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher vpn=vpn, address=address)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/network/manager.py", line 1938, in allocate_fixed_ip
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher address = fip.address
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/objects/base.py", line 161, in wrapper
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher args, kwargs)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/conductor/rpcapi.py", line 365, in object_class_action
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher objver=objver, args=args, kwargs=kwargs)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/rpc/client.py", line 156, in call
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher retry=self.retry)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/transport.py", line 90, in _send
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher timeout=timeout, retry=retry)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/_drivers/amqpdriver.py", line 349, in send
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher retry=retry)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/usr/local/lib/python2.7/dist-packages/oslo_messaging/_drivers/amqpdriver.py", line 340, in _send
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher raise result
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher AdminRequired_Remote: User does not have admin privileges
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher Traceback (most recent call last):
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/conductor/manager.py", line 420, in _object_dispatch
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher """Perform a classmethod action on an object."""
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/objects/base.py", line 163, in wrapper
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher result = fn(cls, context, *args, **kwargs)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/objects/fixed_ip.py", line 160, in associate_pool
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher host=host)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/db/api.py", line 509, in fixed_ip_associate_pool
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher instance_uuid, host)
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/db/sqlalchemy/api.py", line 127, in wrapper
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher File "/opt/stack/nova/nova/context.py", line 235, in require_admin_context
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher
2015-03-16 09:23:18.306 TRACE oslo_messaging.rpc.dispatcher AdminRequired: User does not have admin privileges

Alex Xu (xuhj) on 2015-03-16

Changed in nova:
assignee:	nobody → Alex Xu (xuhj)

OpenStack Infra (hudson-openstack) on 2015-03-16

Changed in nova:
assignee:	Alex Xu (xuhj) → lvmxh (shaohef)
status:	New → In Progress

Davanum Srinivas (DIMS) (dims-v) on 2015-03-16

Changed in nova:
importance:	Undecided → Low

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-12: Fix merged to nova (master)

Reviewed: https://review.openstack.org/150687
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=a57fae105452e26684406b59ff6b2128698479e9
Submitter: Jenkins
Branch: master

commit a57fae105452e26684406b59ff6b2128698479e9
Author: ShaoHe Feng <email address hidden>
Date: Fri Feb 27 17:36:27 2015 +0800

Remove db layer hard-code permission checks for fixed_ip_associate_*

This patches removes db layer hard-code permission checks for
fixed_ip_associate_*

    the follow functions call db fixed_ip_associate_* API
    1. allocate_for_instance, contex has been elevated.
    2. add_fixed_ip_to_instance, it does not need to require admin previlege.
       and bug 1432455 was filed for it.

the follow functions call db fixed_ip_associate_pool API.
1. NetworkManager._get_dhcp_ip, contex has been elevated.

Closes-Bug: 1432455
Partially implements bp nova-api-policy-final-part

Change-Id: Ia33080c1681b139dbca72bfd5c9810e8fbea6719

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-09-03

Changed in nova:
milestone:	none → liberty-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-10-15

Changed in nova:
milestone:	liberty-3 → 12.0.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.