neutron

non-admin can create and list bgpspeakers but can not show or update speaker

Bug #1583958 reported by flynnmmm on 2016-05-20

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Ryan Tidwell

Bug Description

Here is the configuration:
[root@SG-dev-flynn-3-fwaas devstack]# source openrc demo demo
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
[root@SG-dev-flynn-3-fwaas devstack]# nova list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-create --ip-version 4 --local-as 777 106
Created a new bgp_speaker:
+-----------------------------------+--------------------------------------+
| Field | Value |
+-----------------------------------+--------------------------------------+
| advertise_floating_ip_host_routes | True |
| advertise_tenant_networks | True |
| id | ee03ac3c-81c8-46ce-abad-e3fac4877e87 |
| ip_version | 4 |
| local_as | 777 |
| name | 106 |
| networks | |
| peers | |
| tenant_id | 01c10991df8749d8a79694dad6dfb836 |
+-----------------------------------+--------------------------------------+
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-create --ip-version 4 --local-as 7788 101
Created a new bgp_speaker:
+-----------------------------------+--------------------------------------+
| Field | Value |
+-----------------------------------+--------------------------------------+
| advertise_floating_ip_host_routes | True |
| advertise_tenant_networks | True |
| id | cb0a27e5-42a6-44c1-914b-9bce85a4d1e1 |
| ip_version | 4 |
| local_as | 7788 |
| name | 101 |
| networks | |
| peers | |
| tenant_id | 01c10991df8749d8a79694dad6dfb836 |
+-----------------------------------+--------------------------------------+
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-list
+--------------------------------------+------+----------+------------+
| id | name | local_as | ip_version |
+--------------------------------------+------+----------+------------+
| cb0a27e5-42a6-44c1-914b-9bce85a4d1e1 | 101 | 7788 | 4 |
| ee03ac3c-81c8-46ce-abad-e3fac4877e87 | 106 | 777 | 4 |
+--------------------------------------+------+----------+------------+
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-show cb0a27e5-42a6-44c1-914b-9bce85a4d1e1
Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.
Neutron server returns request_ids: ['req-bff87635-2767-4bfd-b6e0-cc1399136d88']
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-show 101
Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.
Neutron server returns request_ids: ['req-fd336b49-70e3-4a20-ba2d-9ca9889ea05c']
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-show 106
Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.
Neutron server returns request_ids: ['req-70354c3c-d59a-4f69-ba3a-54edbce12e44']
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-update --advertise-floating-ip-host-routes=False 106
Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.
Neutron server returns request_ids: ['req-a13edca8-7d55-4568-a94f-a6bd228923fc']

Tags:

Revision history for this message

Na Zhu (nazhu) wrote on 2016-05-21:

In the file bgp_plugin.py, the function policy.check_is_admin() is called, I think should check the result of the function, if it is false, do not allow the operation and throw an error.

Changed in neutron:
assignee:	nobody → Na Zhu (nazhu)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-21: Fix proposed to neutron-dynamic-routing (master)

Fix proposed to branch: master
Review: https://review.openstack.org/319558

Changed in neutron:
status:	New → In Progress

Revision history for this message

zhaobo (zhaobo6) wrote on 2016-05-23:

Hi, nazhu. I'm test on stable/mitaka, and I use the same with yours tenant demo. I found something strange in your bug description, why you can create speaker with tenant demo, you can list speakers but cannot show them.. I use devstack with mitaka/stable, but I can not create speaker with tenant demo normally which I didn't change anything towards it.
[root@localhost devstack]# neutron bgp-speaker-create test --local-as 767 --ip-version 4
rule:create_bgp_speaker on {u'name': u'test', 'tenant_id': u'7c1422d232944a46acc240c1b15fa613', u'local_as': u'767', u'ip_version': 4, 'advertise_floating_ip_host_routes': True, 'advertise_tenant_networks': True} by {'domain': None, 'project_name': u'demo', 'tenant_name': u'demo', 'project_domain': None, 'timestamp': '2016-05-23 03:10:36.736283', 'auth_token': '6bfab3ddab474097b9e02dfd0c51f037', 'resource_uuid': None, 'is_admin': False, 'user': u'8583ba1f36e24acdb2660f9f991f6d38', 'tenant': u'7c1422d232944a46acc240c1b15fa613', 'read_only': False, 'project_id': u'7c1422d232944a46acc240c1b15fa613', 'user_id': u'8583ba1f36e24acdb2660f9f991f6d38', 'show_deleted': False, 'roles': [u'Member', u'anotherrole'], 'user_identity': '8583ba1f36e24acdb2660f9f991f6d38 7c1422d232944a46acc240c1b15fa613 - - -', 'tenant_id': u'7c1422d232944a46acc240c1b15fa613', 'request_id': 'req-775b7afa-193d-4674-a7f8-6045174d87a2', 'user_domain': None, 'user_name': u'demo'} disallowed by policy
Neutron server returns request_ids: ['req-775b7afa-193d-4674-a7f8-6045174d87a2']

OpenStack Infra (hudson-openstack) on 2016-06-02

Changed in neutron:
assignee:	Na Zhu (nazhu) → Ryan Tidwell (ryan-tidwell)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-03: Fix merged to neutron-dynamic-routing (master)

Reviewed: https://review.openstack.org/319558
Committed: https://git.openstack.org/cgit/openstack/neutron-dynamic-routing/commit/?id=62cb5c418442adc71469d74106839ad041b940ff
Submitter: Jenkins
Branch: master

commit 62cb5c418442adc71469d74106839ad041b940ff
Author: Na <email address hidden>
Date: Sat May 21 05:49:50 2016 -0700

Fix the policy check for BGP APIs

Only admin can configure BGP, this patch add policy check
for BGP APIs.

Change-Id: I5ce602202c52542792cc5b22e58e0ed074e09d7d
Closes-Bug: #1583958

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-12: Fix proposed to neutron-dynamic-routing (master)

Fix proposed to branch: master
Review: https://review.openstack.org/341207

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-12: Change abandoned on neutron-dynamic-routing (master)

Change abandoned by fumihiko kakuma (<email address hidden>) on branch: master
Review: https://review.openstack.org/341207
Reason: This is a duplicate of https://review.openstack.org/#/c/333668.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-07-13: Fix included in openstack/neutron-dynamic-routing 9.0.0.0b2

This issue was fixed in the openstack/neutron-dynamic-routing 9.0.0.0b2 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.