Murano

User with permissions can not set 'unshared' Murano package to 'shared'

Bug #1552291 reported by Stan Lagun
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Murano
Fix Released
Medium
Kirill Zaitsev
Murano mitaka-3 "m3"
Liberty
Fix Released
Medium
Kirill Zaitsev
Murano 1.0.x "1.0.x"
Mitaka
Fix Released
Medium
Kirill Zaitsev
Murano mitaka-3 "m3"

Bug Description

Hello,
Please take a look at the issue below.
Globally the problem is that user with permissions can't update Murano package.
My env is: MOS 8.0 with ISO:589 (HA with vlan, murano, cinder and disabled SSL: 2x controllers; 3x compute,cinder)

Actions performed from controller:

1) OK - Perform actions as admin user:
# . openrc

2) OK - Create new role:
# openstack role create 'can_publicize_packages'
    +-------+----------------------------------+
    | Field | Value |
    +-------+----------------------------------+
    | id | cdb2bf1c7cba4c188792481e9bfdf449 |
    | name | can_publicize_packages |
    +-------+----------------------------------+

3) OK - List roles:
# openstack role list
    +----------------------------------+------------------------+
    | ID | Name |
    +----------------------------------+------------------------+
     . . . .
    | cdb2bf1c7cba4c188792481e9bfdf449 | can_publicize_packages |
    +----------------------------------+------------------------+

4) OK - Create new user inside 'services' project:
# openstack user create '_test_user' --password 'password' --project 'services'
    +------------+----------------------------------+
    | Field | Value |
    +------------+----------------------------------+
    | email | None |
    | enabled | True |
    | id | e9783de276d64c0189df2c5a5ff79a63 |
    | name | _test_user |
    | project_id | fa38dcb711a24e979f1cd88486a9965e |
    | username | _test_user |
    +------------+----------------------------------+

5) OK - Assign new role to the new user:
# openstack role add 'can_publicize_packages' --user '_test_user' --project 'services'
    +-------+----------------------------------+
    | Field | Value |
    +-------+----------------------------------+
    | id | cdb2bf1c7cba4c188792481e9bfdf449 |
    | name | can_publicize_packages |
    +-------+----------------------------------+

6) NOK - Check new role for :
# openstack user role list '_test_user'
    {empty output}

  \\ I suppose it is expected to have some output here.

7) OK - Try to assign again the same role to the same user:
# openstack role add 'can_publicize_packages' --user '_test_user' --project 'services'
    Conflict occurred attempting to store role grant -
    User e9783de276d64c0189df2c5a5ff79a63 already has role
    cdb2bf1c7cba4c188792481e9bfdf449
    in tenant fa38dcb711a24e979f1cd88486a9965e
  (HTTP 409) (Request-ID: req-90460dca-6001-4c1d-90de-212aec294942)

 \\ So, seems, that role was actually assigned to the user.

5) OK - On all two controllers add new role to /etc/murano/policy.json:
# cp /etc/murano/policy.json /etc/murano/policy.json_orig
# vim /etc/murano/policy.json
    from:
  "publicize_package": "rule:admin_api",
    to:
    "publicize_package": "rule:admin_api or role:can_publicize_packages",
    ### The same with:
    "publicize_package": ["rule:admin_api", "role:can_publicize_packages"],

6) OK - On all two controllers restart some Murano services:
# service murano-api restart ; service murano-engine restart
    murano-api stop/waiting
    murano-api start/running, process 5597
    murano-engine stop/waiting
    murano-engine start/running, process 5627

6) OK - Change env to '_test_user' and 'services' project:
# export OS_TENANT_NAME='services' ; export OS_PROJECT_NAME='services' ; export OS_USERNAME='_test_user' ; export OS_PASSWORD='password'

7) OK - As a '_test_user' import Murano pkg:
# murano --murano-repo-url=http://storage.apps.openstack.org package-import 'io.murano.apps.docker.Interfaces'
    Package file 'io.murano.apps.docker.Interfaces' does not exist, attempting to download
    Importing package io.murano.apps.docker.Interfaces
    +----------------------------------+--------------------------+----------------------------------+---------------+-----------+
    | ID | Name | FQN | Author | Is Public |
    +----------------------------------+--------------------------+----------------------------------+---------------+-----------+
    | 90fee6d0e41b441f9e8c4b29d89497aa | Core library | io.murano | murano.io | True |
    | 6c36dc3f149744ca8b18c5e1527b74ef | Docker Interface Library | io.murano.apps.docker.Interfaces | Mirantis, Inc | |
 +----------------------------------+--------------------------+----------------------------------+---------------+-----------+

8) NOK - As a '_test_user' update imported pkg with Public=TRUE:
# murano package-update '6c36dc3f149744ca8b18c5e1527b74ef' --is-public true
    403 Forbidden: Access was denied to this resource. (HTTP 403)

 \\ After step (5) it is expected for a new user to have ability to update imported packages.

Please find logs for the last step (8) attached.
Thanks.

Stan Lagun (slagun)
Changed in murano:
milestone: none → mitaka-3
tags: added: kilo-backport-potential
Changed in murano:
importance: Undecided → Medium
Revision history for this message
Kirill Zaitsev (kzaitsev) wrote :

Unable to reproduce on current master.

Changed in murano:
status: New → Invalid
Revision history for this message
Kirill Zaitsev (kzaitsev) wrote :

Unable to reproduce the bug on stable/liberty code either.

Revision history for this message
Kirill Zaitsev (kzaitsev) wrote :

The bug only appears on old versions of oslo_context.
When serializing to_dict() versions prior to 2.2.0 do not include roles. However they're required for role-based rules

Since global_requirements specify, that minimal version for oslo_context is 0.2.0 for L and M this has to be fixed

Victor Ryzhenkin (vryzhenkin)
information type: Public → Private Security
tags: added: liberty-backport-potential security
information type: Private Security → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to murano (master)

Fix proposed to branch: master
Review: https://review.openstack.org/287480

Changed in murano:
assignee: nobody → Kirill Zaitsev (kzaitsev)
status: Triaged → In Progress
Revision history for this message
Kirill Zaitsev (kzaitsev) wrote :

stable/kilo is not affected

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to murano (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/287803

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to murano (master)

Reviewed: https://review.openstack.org/287480
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=53845d84e79ebc7f34745d21da58cab6b8276fac
Submitter: Jenkins
Branch: master

commit 53845d84e79ebc7f34745d21da58cab6b8276fac
Author: Kirill Zaitsev <email address hidden>
Date: Thu Mar 3 01:15:33 2016 +0300

    Add roles to RequestContext.to_dict if they're not there

    Old versions of oslo_context do not include rules in to_dict()
    However roles are required for newer versions of oslo_policy to operate
    and resolve 'role:xxx' rules.

    Since minimal version for oslo_context is 0.2.0 and commit, that adds
    roles has been added only in 2.2.0 we should support old versions of
    oslo_context with newer version.

    Change-Id: If35726613bec5d342bad72b542215ec8e5c096a2
    Closes-Bug: #1552291

Changed in murano:
status: In Progress → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/murano 2.0.0.0b3

This issue was fixed in the openstack/murano 2.0.0.0b3 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to murano (stable/liberty)

Reviewed: https://review.openstack.org/287803
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=7f25fdff2a1f1a0f48c5d771b5b268605ceb3db3
Submitter: Jenkins
Branch: stable/liberty

commit 7f25fdff2a1f1a0f48c5d771b5b268605ceb3db3
Author: Kirill Zaitsev <email address hidden>
Date: Thu Mar 3 01:15:33 2016 +0300

    Add roles to RequestContext.to_dict if they're not there

    Old versions of oslo_context do not include rules in to_dict()
    However roles are required for newer versions of oslo_policy to operate
    and resolve 'role:xxx' rules.

    Since minimal version for oslo_context is 0.2.0 and commit, that adds
    roles has been added only in 2.2.0 we should support old versions of
    oslo_context with newer version.

    Change-Id: If35726613bec5d342bad72b542215ec8e5c096a2
    Closes-Bug: #1552291

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/murano 1.0.3

This issue was fixed in the openstack/murano 1.0.3 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

This issue was fixed in the openstack/murano 1.0.3 release.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.