Juniper Openstack

RBAC - default-domain:default-api-access list needs to be updated with creds to certain objects

Bug #1583745 reported by Akila
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Won't Fix
High
Deepinder Setia
R3.1
Won't Fix
High
Deepinder Setia
Juniper Openstack r3.1.0.0-fcs
Trunk
Won't Fix
High
Deepinder Setia

Bug Description

RBAC - default-domain:default-api-access list needs to be updated with minimal R cred for all users

Currently the default-api-access does not have 'project' read access for any role including admin, because of which the admin is not able to create a network in his tennant. This fails at the o=project, op=R step:

root@a5d02e33:~# neutron net-create test-rbac
An unknown exception occurred.
root@a5d02e33:~#

DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=5, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) virtual-network.* admin:CRUD,Member:CRU,test:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError:
--- admin=no, u=new-rbac-admin, r='admin,_member_'

root@a5d02e33:~# keystone token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2016-05-19T18:31:29Z |
| id | 53ba33256b6f4ffebe984757c0bc0c5a |
| tenant_id | a1c652329baf451b8ba1e1b9f1282b1c |
| user_id | 2d999d17d7364807b93e9ddf19ae0882 |
+-----------+----------------------------------+
root@a5d02e33:~#
root@a5d02e33:~# curl -H 'X-AUTH-TOKEN: 53ba33256b6f4ffebe984757c0bc0c5a' http://127.0.0.1:8082/project/a1c652329baf451b8ba1e1b9f1282b1c
Permission Denied
root@a5d02e33:~# keystone tenant-list
+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 10357a4826cb4068bb7afc6b4f788291 | admin | True |
| 2fa850a59eec4c94b2f9d73e62122d5b | demo | True |
| 38f63c3f64f44f6c98f686fb6688b10b | invisible_to_admin | True |
| a1c652329baf451b8ba1e1b9f1282b1c | new-rbac-tenant | True |
| 254090e351f54abe97108f4696712b32 | rbac-test | True |
| 44091587af0946cca15b8d3a8b7e3dbe | service | True |
+----------------------------------+--------------------+---------+
root@a5d02e33:~# keystone user-role-list --user new-rbac-admin --tenant a1c652329baf451b8ba1e1b9f1282b1c
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 2d999d17d7364807b93e9ddf19ae0882 | a1c652329baf451b8ba1e1b9f1282b1c |
| 08843657439f4db690a96ce9e6962e93 | admin | 2d999d17d7364807b93e9ddf19ae0882 | a1c652329baf451b8ba1e1b9f1282b1c |
+----------------------------------+----------+----------------------------------+----------------------------------+
root@a5d02e33:~#

root@a5d02e33:~# env | grep OS
OS_PASSWORD=rbac123
OS_AUTH_URL=http://10.87.129.224:5000/v2.0/
OS_USERNAME=new-rbac-admin
OS_TENANT_NAME=new-rbac-tenant
OS_NO_CACHE=1
LESSCLOSE=/usr/bin/lesspipe %s %s
root@a5d02e33:~#

After adding "project *:R" admin is able to create network:

10.87.143.116 - - [2016-05-19 11:06:53] "GET /project/a1c65232-9baf-451b-8ba1-e1b9f1282b1c HTTP/1.1" 401 196 0.017696
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=6, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) project.* *:R, (1,True)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-network.* admin:CRUD,Member:CRU,test:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: +++ admin=no, u=new-rbac-admin, r='admin,_member_'

root@a5d02e33:~# neutron net-create net-2
Created a new network:
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| admin_state_up | True |
| contrail:fq_name | default-domain |
| | new-rbac-tenant |
| | net-2 |
| contrail:instance_count | 0 |
| id | 4627a227-5b67-4195-9f84-e6993f5ad4e0 |
| name | net-2 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | a1c652329baf451b8ba1e1b9f1282b1c |
+-------------------------+--------------------------------------+
root@a5d02e33:~#

Please provide following access

ref-update *:CRUD
useragent-kv *:CRUD
* *:R
api-access-lists admin:CRUD
api-access-list admin:CRUD

See original description
Tags: config rbac
Akila (akila-a)
information type: Proprietary → Public
Akila (akila-a)
summary: - RBAC - default-domain:default-api-access list needs to be updated with
- minimal R cred for all users
+ RBAC - default-domain:default-api-access list needs to be updated creds
+ to certain objects
description: updated
summary: - RBAC - default-domain:default-api-access list needs to be updated creds
- to certain objects
+ RBAC - default-domain:default-api-access list needs to be updated with
+ creds to certain objects
Jeba Paulaiyan (jebap)
tags: added: config
Changed in juniperopenstack:
importance: Undecided → High
Akila (akila-a)
description: updated
Akila (akila-a)
description: updated
Revision history for this message
Deepinder Setia (dsetia) wrote :

Not relevant as it is superseded by 1604197

Jeba Paulaiyan (jebap)
Changed in juniperopenstack:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.