Juniper Openstack

rbac:R3.0-60:default-ipam to vdns creating permission denied error

Bug #1623695 reported by shajuvk on 2016-09-14

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Won't Fix	High	Deepinder Setia	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"
R3.0	Won't Fix	High	Deepinder Setia
R3.1	Won't Fix	High	Deepinder Setia	Juniper Openstack r3.1.1.0
R3.2	Won't Fix	High	Deepinder Setia	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk	Won't Fix	High	Deepinder Setia	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

permission denied for _member_ with CRUD while associating default-ipam to VDNS entry

api log:
====

DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: u=tenant2-user, r=[u'_member_'], o=network-ipams, op=R, rules=6, proj:ab273e0d2cc4488fbcd0177e7cf43c6a(tenant2), dom:None
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* _member_:CRUD, (0,True)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=tenant2-user, r='_member_'
192.168.10.4 - - [2016-09-21 16:04:49] "GET /network-ipams?fields=network_ipam_mgmt&obj_uuids=2414fab4-13cc-4775-9ea5-dae11fba6f81 HTTP/1.1" 200 507 0.020473
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: +++ (R:2414fab4-13cc-4775-9ea5-dae11fba6f81) "network_ipam" ["default-domain", "default-project", "default-network-ipam"] admin=no, mode=444 mask=007 perms=705, (usr=ab273e0d2cc4488fbcd0177e7cf43c6a(tenant2)/own=cloudadmin/sh=[])
INFO:contrail-api:__default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = tenant2-user useragent = Restler for node.js remote_ip = 192.168.10.3:9100 domain_name = default-domain project_name = tenant2 object_type = network_ipam response_time_in_usec = 6472 response_size = 410 resp_code = 200 >>
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: u=tenant2-user, r=[u'_member_'], o=network-ipam, op=U, rules=6, proj:ab273e0d2cc4488fbcd0177e7cf43c6a(tenant2), dom:None
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* _member_:CRUD, (0,True)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=tenant2-user, r='_member_'
INFO:contrail-api:__default__ [SYS_INFO]: VncApiConfigLog: api_log = << identifier_uuid = 2414fab4-13cc-4775-9ea5-dae11fba6f81 object_type = network_ipam identifier_name = default-domain:default-project:default-network-ipam url = http://192.168.10.3:9100/network-ipam/2414fab4-13cc-4775-9ea5-dae11fba6f81 operation = put useragent = Restler for node.js remote_ip = 192.168.10.3:9100 body = {"network-ipam": {"network_ipam_mgmt": {"ipam_dns_method": "virtual-dns-server", "ipam_dns_server": {"tenant_dns_server_address": {}, "virtual_dns_server_name": "default-domain:dns2"}}, "virtual_DNS_refs": [{"to": ["default-domain", "dns2"], "attr": null, "uuid": "19f539a4-bfba-40e3-8c22-fbd4c90be475"}], "fq_name": ["default-domain", "default-project", "default-network-ipam"], "uuid": "2414fab4-13cc-4775-9ea5-dae11fba6f81"}} domain = default-domain project = tenant2 user = tenant2-user >>
192.168.10.4 - - [2016-09-21 16:04:49] "PUT /network-ipam/2414fab4-13cc-4775-9ea5-dae11fba6f81 HTTP/1.1" 403 140 0.018671
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: --- (W:2414fab4-13cc-4775-9ea5-dae11fba6f81) "network_ipam" ["default-domain", "default-project", "default-network-ipam"] admin=no, mode=222 mask=007 perms=705, (usr=ab273e0d2cc4488fbcd0177e7cf43c6a(tenant2)/own=cloudadmin/sh=[])
WARNING:contrail-api:__default__ [SYS_NOTICE]: VncApiError: rbac: tenant2-user doesn't have write permission in tenant cloudadmin
INFO:contrail-api:__default__ [SYS_INFO]: VncApiConfigLog: api_log = << identifier_uuid = 2414fab4-13cc-4775-9ea5-dae11fba6f81 object_type = network_ipam url = http://192.168.10.3:9100/network-ipam/2414fab4-13cc-4775-9ea5-dae11fba6f81 operation = http_put useragent = Restler for node.js remote_ip = 192.168.10.3:9100 body = {"network-ipam": {"network_ipam_mgmt": {"ipam_dns_method": "virtual-dns-server", "ipam_dns_server": {"tenant_dns_server_address": {}, "virtual_dns_server_name": "default-domain:dns2"}}, "virtual_DNS_refs": [{"to": ["default-domain", "dns2"], "attr": null, "uuid": "19f539a4-bfba-40e3-8c22-fbd4c90be475"}], "fq_name": ["default-domain", "default-project", "default-network-ipam"], "uuid": "2414fab4-13cc-4775-9ea5-dae11fba6f81"}} domain = default-domain project = tenant2 user = tenant2-user error = network_ipam:Permission Denied >>

See original description

Tags:

shajuvk (shajuvk) on 2016-09-14

summary:

- rbac:default-ipam to vdns creating permission denied error
+ rbac:R3.0-60:default-ipam to vdns creating permission denied error

Revision history for this message

shajuvk (shajuvk) wrote on 2016-09-15:

either we do not need to advertise the default-ipam to all tenants. if we give full permission to default IPAM might solve this issue but other tenant users can edit and cause problem.

Deepinder Setia (dsetia) on 2016-09-21

tags:

added: releasenote

Revision history for this message

Deepinder Setia (dsetia) wrote on 2016-09-21:

This operation requires updating network-ipam. To release note that user should create network-ipam in own tenant (instead of using default network-ipam in which user doesn't have permission)

shajuvk (shajuvk) on 2016-09-21

description:

updated

Ashish Ranjan (aranjan-n) on 2016-09-22

information type:

Proprietary → Public

Sachin Bansal (sbansal) on 2017-04-03

Changed in juniperopenstack:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.