Juniper Openstack

rbac: after deletion of global-config-acl, admin not able create it

Bug #1607989 reported by shajuvk on 2016-07-30

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.0	Fix Committed	High	Deepinder Setia	Juniper Openstack r3.0.3.0
R3.1	Fix Committed	High	Deepinder Setia	Juniper Openstack r3.1.0.0-fcs
R3.2	Fix Committed	High	Deepinder Setia	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk	Fix Committed	High	Deepinder Setia	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

We need to either block admin from deletion of global-config-acl or the creation of it should be allowed after deletion:

root@a5s7:/opt/contrail/utils# python rbacutil.py --name "default-global-system-config:default-api-access-list" --op read
Rbac is enabled

Oper = read
Name = ['default-global-system-config', 'default-api-access-list']
UUID = None
API Server = 127.0.0.1:8082

Rules (3):
----------
1 fqname-to-id *:CRUD,
2 id-to-fqname *:CRUD,
3 documentation *:R,

root@a5s7:/opt/contrail/utils# python rbacutil.py --name "default-global-system-config:default-api-access-list" --op delete
Rbac is enabled

Oper = delete
Name = ['default-global-system-config', 'default-api-access-list']
UUID = None
API Server = 127.0.0.1:8082

Rules (3):
----------
1 fqname-to-id *:CRUD,
2 id-to-fqname *:CRUD,
3 documentation *:R,

Confirm (y/n): y
root@a5s7:/opt/contrail/utils# python rbacutil.py --name "default-global-system-config:default-api-access-list" --op read
Permission Denied
Rbac not supported

root@a5s7:/opt/contrail/utils# env | grep OS
OS_PASSWORD=contrail123
OS_AUTH_URL=http://192.168.10.2:5000/v2.0/
OS_USERNAME=admin
OS_TENANT_NAME=admin
OS_NO_CACHE=1
LESSCLOSE=/usr/bin/lesspipe %s %s
root@a5s7:/opt/contrail/utils# python rbacutil.py --name "default-global-system-config:default-api-access-list" --op create
Permission Denied
Rbac not supported

Tags:

shajuvk (shajuvk) on 2016-07-30

Changed in juniperopenstack:
assignee:	nobody → Deepinder Setia (dsetia)

shajuvk (shajuvk) on 2016-07-30

summary:

- rbac: after deletetion of global-config-acl, admin not able create it
+ rbac: after deletion of global-config-acl, admin not able create it

Revision history for this message

shajuvk (shajuvk) wrote on 2016-08-01:

Marking it as blocker, it is functionality blocker

tags:

added: blocker

shajuvk (shajuvk) on 2016-08-03

information type:

Proprietary → Public

Revision history for this message

Deepinder Setia (dsetia) wrote on 2016-08-05:

Shaju, can you check if this is still a problem?

Revision history for this message

Deepinder Setia (dsetia) wrote on 2016-08-05:

I think this might have been fixed by https://review.opencontrail.org/#/c/22683/

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-09: [Review update] R3.1

Review in progress for https://review.opencontrail.org/23073
Submitter: Deepinder Setia (<email address hidden>)

Deepinder Setia (dsetia) on 2016-08-09

Changed in juniperopenstack:
status:	New → In Progress

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-09: A change has been merged

Reviewed: https://review.opencontrail.org/23073
Committed: http://github.org/Juniper/contrail-controller/commit/5d0a563f681d796f3c5aca8fd2c319e3463b0aa0
Submitter: Zuul
Branch: R3.1

commit 5d0a563f681d796f3c5aca8fd2c319e3463b0aa0
Author: Deepinder Setia <email address hidden>
Date: Mon Aug 8 17:29:02 2016 -0700

Skip redundant (and sometimes spurious) checks if admin.

Change-Id: Iac78e812a98fe6a09444613e146d6f4cffc24834
Closes-Bug: 1607989

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-16: [Review update] R3.0

Review in progress for https://review.opencontrail.org/23322
Submitter: Deepinder Setia (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-08-25: A change has been merged

#11

Reviewed: https://review.opencontrail.org/23322
Committed: http://github.org/Juniper/contrail-controller/commit/8dd22ef3e30fcc6ba26962500f7a6dbc068bcf34
Submitter: Zuul
Branch: R3.0

commit 8dd22ef3e30fcc6ba26962500f7a6dbc068bcf34
Author: Deepinder Setia <email address hidden>
Date: Mon Aug 8 17:29:02 2016 -0700

Skip redundant (and sometimes spurious) checks if admin.

Closes-Bug: 1607989

Conflicts:
src/config/api-server/vnc_rbac.py

Change-Id: Ib28628a9d9b4b263ad29d83359d86397eca99dd2

Jeba Paulaiyan (jebap) on 2016-09-13

Changed in juniperopenstack:
milestone:	none → r3.2.0.0-fcs

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.