Juniper Openstack

RBAC - When RBAC is enabled, new admin token gets fetched and been used as owner rather than using the actual user token

Bug #1583241 reported by Akila on 2016-05-18

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.0	Fix Committed	High	Deepinder Setia	Juniper Openstack r3.0.3.0
R3.1	Fix Committed	High	Deepinder Setia	Juniper Openstack r3.1.0.0-fcs
Trunk	Fix Committed	High	Deepinder Setia

Bug Description

When rbac is enabled, new admin token gets fetched and been used as owner rather than using the actual user token, as a result the perms2 shows owner as admin rather than tenant.

root@a5d02e33:~# contrail-version
Package Version ---------------------config-openstack contrail-control contrail-dns contrail-docs contrail-f5 contrail-fabric-utils contrail-heat contrail-install-packages contrail-lib contrail-nodemgr contrail-nova-networkapi contrail-openstack contrail-openstack-analytics contrail-openstack-config contrail-openstack-control contrail-openstack-dashboard contrail-openstack-database contrail-openstack-webui contrail-setup contrail-utils contrail-web-controller contrail-web-core ifmap-python-client 0.1-2 ifmap-server neutron-plugin-contrail nova-api nova-common nova-conductor nova-console nova-consoleauth nova-novncproxy nova-objectstore nova-scheduler python-contrail python-neutronclient python-nova root@a5d02e33:~# Build-ID | Repo | Package Name
/>----------------- ------------------------------ ----------------------------------
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730~kilo 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
3.1.0.0-2730 2730
2730
0.3.2-1contrail2 2730
3.1.0.0-2730 2730
1:2015.1.2-0ubuntu2~cloud0.1contrail2730
1:2015.1.2-0ubuntu2~cloud0.1contrail2730
1:2015.1.2-0ubuntu2~cloud0.1contrail2730
1:2015.1.2-0ubuntu2~cloud0.1contrail2730
1:2015.1.2-0ubuntu2~cloud0.1contrail2730
1:2015.1.2-0ubuntu2~cloud0.1contrail2730
1:2015.1.2-0ubuntu2~cloud0.1contrail2730
1:2015.1.2-0ubuntu2~cloud0.1contrail2730
3.1.0.0-2730 2730
1:2.3.11-0ubuntu1~cloud0.3contrail2730
1:2015.1.2-0ubuntu2~cloud0.1contrail2730

On denugging it is seen that this issue is seen when multi_tenancy is not set "/etc/contrail/contrail-api.conf"

Tags:

Akila (akila-a) on 2016-05-18

information type:

Proprietary → Public

Akila (akila-a) on 2016-05-18

summary:

- When rbac is enabled, new admin token gets fetched and been used as
- owner rather than using the actual user token
+ RBAC - When RBAC is enabled, new admin token gets fetched and been used
+ as owner rather than using the actual user token

Jeba Paulaiyan (jebap) on 2016-05-19

tags:	added: config
Changed in juniperopenstack:
importance:	Undecided → High

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-03: [Review update] R3.1

Review in progress for https://review.opencontrail.org/22792
Submitter: Deepinder Setia (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-03: A change has been merged

Reviewed: https://review.opencontrail.org/22792
Committed: http://github.org/Juniper/contrail-provisioning/commit/da76c6c402c2a5a2fe90901010c2ca00fedafd9d
Submitter: Zuul
Branch: R3.1

commit da76c6c402c2a5a2fe90901010c2ca00fedafd9d
Author: Deepinder Setia <email address hidden>
Date: Wed Aug 3 00:19:05 2016 -0700

When rbac is configured (aaa_mode is rbac), setup neutron pipeline
to pass user token to API server

Change-Id: I0d9e9b6559423ae74ba042333e1a5b54f0e91c84
Closes-Bug: #1583241

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-16: [Review update] R3.0

Review in progress for https://review.opencontrail.org/23317
Submitter: Deepinder Setia (<email address hidden>)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.