Juniper Openstack

Rbac:R3.0-59-Some VM's going to error state if we crate multiple VM's as _member_

Bug #1621272 reported by shajuvk on 2016-09-07

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.0	Fix Committed	High	Deepinder Setia	Juniper Openstack r3.0.3.0
R3.1	Fix Committed	High	Deepinder Setia	Juniper Openstack r3.1.1.0
Trunk	Fix Committed	High	Deepinder Setia	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"

Bug Description

VMs are created on tenant2 as user2-tenant2. But for one of the vm the the owner is service tenant. (own=0762bd818f904a69b247c5c3be73acb4) causing the issue

09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1-tenant2, r='_member_'
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ (R:e6739af1-866a-416c-b484-c88a8afa626c) "virtual_network" ["default-domain", "tenant2", "vn1-tenant2-e6739af1-866a
-416c-b484-c88a8afa626c"] admin=no, mode=444 mask=707 perms=700, (usr=b032829dcaa448c794e6e05e377b85b8(tenant2)/own=b032829dcaa448c794e6e05e377b85b8/sh=[])
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1-tenant2 useragent = a5s8:/usr/bin/contrail-api remote_ip = 127.0.0.1:9
100 domain_name = default-domain project_name = tenant2 object_type = virtual_network response_time_in_usec = 8270 response_size = 1804 resp_code = 200 >>
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1-tenant2, r=[u'_member_'], o=instance-ips, op=R, rules=7, proj:b032829dcaa448c794e6e05e377b85b8(tenant2), dom:No
ne
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* role-test1:CRUD,_member_:CRUD, (0,True)
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 7) *.* _member_:CRUD, (0,True)
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1-tenant2, r='_member_'
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:38323b6c-3587-4b78-881a-e90a48656f34) "instance_ip" ["38323b6c-3587-4b78-881a-e90a48656f34"] admin=no, mode=444
mask=007 perms=700, (usr=b032829dcaa448c794e6e05e377b85b8(tenant2)/own=0762bd818f904a69b247c5c3be73acb4/sh=[])
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1-tenant2 doesn't have read permission in tenant 0762bd818f904a69b247c5c3be73acb4
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:f34a9ad2-f4e4-4d09-ac58-7ea09030a069) "instance_ip" ["f34a9ad2-f4e4-4d09-ac58-7ea09030a069"] admin=no, mode=444 mask=007 perms=700, (usr=b032829dcaa448c794e6e05e377b85b8(tenant2)/own=0762bd818f904a69b247c5c3be73acb4/sh=[])
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1-tenant2 doesn't have read permission in tenant 0762bd818f904a69b247c5c3be73acb4
09/07/2016 03:21:15 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1-tenant2 useragent = a5s8:/usr/bin/contrail-api remote_ip = 127.0.0.1:9100 domain_name = default-domain project_name = tenant2 object_type = instance_ip response_time_in_usec = 10514 response_size = 20 resp_code = 200 >>

Tags:

shajuvk (shajuvk) on 2016-09-07

tags:	added: rbac
summary:	Rbac:R3.0-59-Some VM's going to error state if we crate multiple VM's + as _member_

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-08: [Review update] R3.0

Review in progress for https://review.opencontrail.org/23990
Submitter: Deepinder Setia (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-09: [Review update] master

Review in progress for https://review.opencontrail.org/24030
Submitter: Hampapur Ajay (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-09: A change has been merged

Reviewed: https://review.opencontrail.org/23990
Committed: http://github.org/Juniper/contrail-controller/commit/3f1adee0a5abc0a6846b573755ea1bf8ef2934ea
Submitter: Zuul
Branch: R3.0

commit 3f1adee0a5abc0a6846b573755ea1bf8ef2934ea
Author: Deepinder Setia <email address hidden>
Date: Wed Sep 7 22:32:11 2016 -0700

Save and restore auth token in greenlet local variable to prevent
clobbering due to interleaving of client requests

Change-Id: Ia4ce3a0c06fa76a32c0f7a08c3b093b1c097524f
Closes-Bug: #1621272

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-09:

Reviewed: https://review.opencontrail.org/24030
Committed: http://github.org/Juniper/contrail-controller/commit/26e72fc83da3ace0c39781311cd36604831785fa
Submitter: Zuul
Branch: master

commit 26e72fc83da3ace0c39781311cd36604831785fa
Author: Deepinder Setia <email address hidden>
Date: Wed Sep 7 22:32:11 2016 -0700

Save and restore auth token in greenlet local variable to prevent
clobbering due to interleaving of client requests

Change-Id: Ia4ce3a0c06fa76a32c0f7a08c3b093b1c097524f
Closes-Bug: #1621272
(cherry picked from commit 3f1adee0a5abc0a6846b573755ea1bf8ef2934ea)

shajuvk (shajuvk) on 2016-09-22

information type:

Proprietary → Public

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-22: [Review update] R3.1

Review in progress for https://review.opencontrail.org/24391
Submitter: Deepinder Setia (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2016-09-26: A change has been merged

Reviewed: https://review.opencontrail.org/24391
Committed: http://github.org/Juniper/contrail-controller/commit/0eb7b66832644d01cb305a294c78f4d948ae897a
Submitter: Zuul
Branch: R3.1

commit 0eb7b66832644d01cb305a294c78f4d948ae897a
Author: Deepinder Setia <email address hidden>
Date: Wed Sep 7 22:32:11 2016 -0700

Save and restore auth token in greenlet local variable to prevent
clobbering due to interleaving of client requests

Change-Id: Ia4ce3a0c06fa76a32c0f7a08c3b093b1c097524f
Closes-Bug: #1621272

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.