permission denied for _member_ with CRUD while associating default-ipam to VDNS entry
api log:
====
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: u=tenant2-user, r=[u'_member_'], o=network-ipams, op=R, rules=6, proj:ab273e0d2cc4488fbcd0177e7cf43c6a(tenant2), dom:None
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* _member_:CRUD, (0,True)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=tenant2-user, r='_member_'
192.168.10.4 - - [2016-09-21 16:04:49] "GET /network-ipams?fields=network_ipam_mgmt&obj_uuids=2414fab4-13cc-4775-9ea5-dae11fba6f81 HTTP/1.1" 200 507 0.020473
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: +++ (R:2414fab4-13cc-4775-9ea5-dae11fba6f81) "network_ipam" ["default-domain", "default-project", "default-network-ipam"] admin=no, mode=444 mask=007 perms=705, (usr=ab273e0d2cc4488fbcd0177e7cf43c6a(tenant2)/own=cloudadmin/sh=[])
INFO:contrail-api:__default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = tenant2-user useragent = Restler for node.js remote_ip = 192.168.10.3:9100 domain_name = default-domain project_name = tenant2 object_type = network_ipam response_time_in_usec = 6472 response_size = 410 resp_code = 200 >>
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: u=tenant2-user, r=[u'_member_'], o=network-ipam, op=U, rules=6, proj:ab273e0d2cc4488fbcd0177e7cf43c6a(tenant2), dom:None
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* _member_:CRUD, (0,True)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=tenant2-user, r='_member_'
INFO:contrail-api:__default__ [SYS_INFO]: VncApiConfigLog: api_log = << identifier_uuid = 2414fab4-13cc-4775-9ea5-dae11fba6f81 object_type = network_ipam identifier_name = default-domain:default-project:default-network-ipam url = http://192.168.10.3:9100/network-ipam/2414fab4-13cc-4775-9ea5-dae11fba6f81 operation = put useragent = Restler for node.js remote_ip = 192.168.10.3:9100 body = {"network-ipam": {"network_ipam_mgmt": {"ipam_dns_method": "virtual-dns-server", "ipam_dns_server": {"tenant_dns_server_address": {}, "virtual_dns_server_name": "default-domain:dns2"}}, "virtual_DNS_refs": [{"to": ["default-domain", "dns2"], "attr": null, "uuid": "19f539a4-bfba-40e3-8c22-fbd4c90be475"}], "fq_name": ["default-domain", "default-project", "default-network-ipam"], "uuid": "2414fab4-13cc-4775-9ea5-dae11fba6f81"}} domain = default-domain project = tenant2 user = tenant2-user >>
192.168.10.4 - - [2016-09-21 16:04:49] "PUT /network-ipam/2414fab4-13cc-4775-9ea5-dae11fba6f81 HTTP/1.1" 403 140 0.018671
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: --- (W:2414fab4-13cc-4775-9ea5-dae11fba6f81) "network_ipam" ["default-domain", "default-project", "default-network-ipam"] admin=no, mode=222 mask=007 perms=705, (usr=ab273e0d2cc4488fbcd0177e7cf43c6a(tenant2)/own=cloudadmin/sh=[])
WARNING:contrail-api:__default__ [SYS_NOTICE]: VncApiError: rbac: tenant2-user doesn't have write permission in tenant cloudadmin
INFO:contrail-api:__default__ [SYS_INFO]: VncApiConfigLog: api_log = << identifier_uuid = 2414fab4-13cc-4775-9ea5-dae11fba6f81 object_type = network_ipam url = http://192.168.10.3:9100/network-ipam/2414fab4-13cc-4775-9ea5-dae11fba6f81 operation = http_put useragent = Restler for node.js remote_ip = 192.168.10.3:9100 body = {"network-ipam": {"network_ipam_mgmt": {"ipam_dns_method": "virtual-dns-server", "ipam_dns_server": {"tenant_dns_server_address": {}, "virtual_dns_server_name": "default-domain:dns2"}}, "virtual_DNS_refs": [{"to": ["default-domain", "dns2"], "attr": null, "uuid": "19f539a4-bfba-40e3-8c22-fbd4c90be475"}], "fq_name": ["default-domain", "default-project", "default-network-ipam"], "uuid": "2414fab4-13cc-4775-9ea5-dae11fba6f81"}} domain = default-domain project = tenant2 user = tenant2-user error = network_ipam:Permission Denied >>
either we do not need to advertise the default-ipam to all tenants. if we give full permission to default IPAM might solve this issue but other tenant users can edit and cause problem.