Juniper Openstack

Build 2739: Cloud-admin user not able to access analytics-api

Bug #1600699 reported by Ankit Jain
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.0
Fix Committed
Medium
Megh Bhatt
Juniper Openstack r3.0.3.0
R3.1
Fix Committed
Medium
Megh Bhatt
Juniper Openstack r3.1.0.0-fcs
Trunk
Fix Committed
Medium
Megh Bhatt
Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"

Bug Description

After enabling multi-tenancy in contrail-analytics-api.conf, I see user with cloud admin role could not get access to analytics-api. Users with admin role could get access to analytics-api. As per commit https://review.opencontrail.org/21038 I think only cloud-admin role should be sufficient to access analytics-api.

root@nodeg13:/etc/contrail# keystone user-role-list --user tester

+----------------------------------+-------------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 98889d0bb11042dfb835a4794efce240 | b783d71593a54f748f681a1e9a86fef1 |
| bb7e5caf14524baaab2a76dfea83b40a | cloud-admin | 98889d0bb11042dfb835a4794efce240 | b783d71593a54f748f681a1e9a86fef1 |
+----------------------------------+-------------+----------------------------------+----------------------------------+

keystone token-get

+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2016-06-30T12:33:18Z |
| id | 3795d3a53c1f4559b4bee7b669aef022 |
| tenant_id | b783d71593a54f748f681a1e9a86fef1 |
| user_id | 98889d0bb11042dfb835a4794efce240 |
+-----------+----------------------------------+

curl -s -H "X-Auth-Token: $(keystone token-get | awk '/ id / {print $4}')" nodeg13:8081/analytics/uves/analytics-node/nodeg13

Authentication required

Tags: analytics
Megh Bhatt (meghb)
Changed in juniperopenstack:
importance: Undecided → Medium
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/21864
Submitter: Megh Bhatt (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.1

Review in progress for https://review.opencontrail.org/21997
Submitter: Megh Bhatt (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/21864
Committed: http://github.org/Juniper/contrail-controller/commit/764377440775bd9044609f1f4eb7eed77abe1969
Submitter: Zuul
Branch: master

commit 764377440775bd9044609f1f4eb7eed77abe1969
Author: Megh Bhatt <email address hidden>
Date: Tue Jul 12 00:10:46 2016 -0700

Change cloud admin role name to "cloud-admin" from "admin" for
analytics API access

Change-Id: I8b1dd26555b0c2f28a7ad95cb0afec3f2b4cf4f4
Closes-Bug: #1600699

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/21997
Committed: http://github.org/Juniper/contrail-controller/commit/8c131016252a22c52cdfab8042571598818f82c3
Submitter: Zuul
Branch: R3.1

commit 8c131016252a22c52cdfab8042571598818f82c3
Author: Megh Bhatt <email address hidden>
Date: Tue Jul 12 00:10:46 2016 -0700

Change cloud admin role name to "cloud-admin" from "admin" for
analytics API access

Change-Id: I8b1dd26555b0c2f28a7ad95cb0afec3f2b4cf4f4
Closes-Bug: #1600699

Revision history for this message
Ankit Jain (ankitja) wrote :

Hi Megh,

This does not seem to work in R3.1 build 2.

I added the following 2 lines in contrail-analytics-api.conf and tested the same.

multi_tenancy = True
cloud_admin_role = cloud-admin

I'm seeing Internal Server Error

curl -s -H "X-Auth-Token: $(keystone token-get | awk '/ id / {print $4}')" nodeg13:8081/analytics/uves/analytics-node/nodeg13

Could you please check this?

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/22539
Submitter: Megh Bhatt (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/22536
Submitter: Megh Bhatt (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged
Download full text (3.7 KiB)

Reviewed: https://review.opencontrail.org/22536
Committed: http://github.org/Juniper/contrail-controller/commit/761ffd96941cd9ec2f670675fbe553080c4790ec
Submitter: Zuul
Branch: R3.0

commit 761ffd96941cd9ec2f670675fbe553080c4790ec
Author: Megh Bhatt <email address hidden>
Date: Wed Jun 8 18:21:34 2016 -0700

1. Add option for cloud admin access only for analytics REST API

Allow cloud admin role access only for analytics REST API controlled
via --cloud_admin_access_only currently defaulted to False but will default
to True once provisioning changes are done. contrail-analytics-api will
validate role from the X-Auth-Token header via vnc_api/contrail-api. For
debug/administration a localhost bound port 8181 - --admin_port is provided
that requires basic HTTP access authentication.

Clients of analytics REST API - contrail-flows, contrail-logs, contrail-stats,
contrail-topology are changed to use admin port. contrail-svc-monitor is changed
to use auth token.

Conflicts:
 src/opserver/SConscript

Partial-Bug: #1461175
(cherry picked from commit 5492f71383123fea8240ca265e125aee28d9349f)

2. Rename cloud_admin_access_only to multi_tenancy in contrail-analytics-api

Closes-Bug: #1461175
(cherry picked from commit 36df0991a47068bcb6af8cd219e416e2ca60d4cd)

3. for bool option, a conversion from string to bool is required.
Closes-Bug: #1595044

(cherry picked from commit 1d6b81bccf5a7aee39fbb60bd25152e1b8726206)

4. Change cloud admin role name to "cloud-admin" from "admin" for
analytics API access

Closes-Bug: #1600699
(cherry picked from commit 8c131016252a22c52cdfab8042571598818f82c3)

5. Rename multi_tenancy to aaa_mode for analytics API

Handle keystone v2 and v3 token infos returned by
VNC API. Enable cloud-admin-only aaa_mode by default

Change analytics DB and underlay to overlay mapper to
use local admin port when quering opserver

Do not cache auth_token in vnc lib

Closes-Bug: #1599654
(cherry picked from commit a2a7c9248b3d9830d491ab6baf7d21bd9aa64ff6)

6. Changes to bring analytics authenticated access in sync with config

1. Rename aaa_mode value cloud-admin-only to cloud-admin
2. CLOUD_ADMIN_ROLE defaults to admin instead of cloud-admin

Partial-Bug: #1607563
(cherry picked from commit 42db6e38e55bc2410297a99c2af3bea03faa938c)

7. Fix missing import of OpServerUtils in analytics_db.py

Closes-Bug: #1609054
(cherry picked from commit cf5f0567c9bb03e83cd83515b775d2018e668d0c)

8. Remove aaa_mode value cloud-admin-only

Closes-Bug: #1609987

9. Keep on trying to create VNC API client from analytics API

The gevent that creates the VNC API client was exiting due to
authentication failure exception. Changed code to handle all
exceptions and keep on trying to create the API client. The
node status will show the API connection down in case we are
not able to create the VNC API client.

Closes-Bug: #1611158
(cherry picked from commit 8072aa5ffd37e4082d7ae9697020a6160e8d2682)

10. Keystone middleware doesn't like if token is unicode. It must be converted
to string before validation.

Fixes-Bug: #1604773
(cherry picked from commit 18df64367eb5468bbca403aef4f2d22d02be4636)

11. Change the obj-perms API to pass in the user token in HTTP headers

...

Read more...

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.