Juniper Openstack

rbac:R3.0-60-router-gateway set created service instance with admin as owner

Bug #1624148 reported by shajuvk on 2016-09-15

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Won't Fix	High	Deepinder Setia	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"
R3.0	Won't Fix	High	Deepinder Setia
R3.1	Won't Fix	High	Deepinder Setia	Juniper Openstack r3.1.1.0
R3.2	Won't Fix	High	Deepinder Setia	Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk	Won't Fix	High	Deepinder Setia	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

router-gateway set as part of snat test, service instance created, but perms2 owner as admin

steps:
======

Create the public network and set the router external flag.
1. neutron net-create public

2. neutron subnet-create public 172.21.1.0/24

3. neutron net-update public -- --router:external=True === > admin operation

Create the test network.
neutron net-create test

neutron subnet-create --name test-subnet test 10.1.1.0/24

Create the router with one interface in test.
neutron router-create r1

neutron router-interface-add r1 test-subnet

Set the external gateway for the router.
neutron router-gateway-set r1 public === > this should create Service instance

{
  "service-instance": {
    "virtual_machine_back_refs": [
      {
        "to": [
          "default-domain__tenant2__snat_199517ce-8886-4012-8012-a091fea39c3c_5135cebd-7d57-4b8f-a668-ddcdb2b31c2f__2"
        ],
        "href": "http://10.84.14.8:8082/virtual-machine/e98ba8ea-9e83-4791-857e-19b793394ef6",
        "attr": null,
        "uuid": "e98ba8ea-9e83-4791-857e-19b793394ef6"
      },
      {
        "to": [
          "default-domain__tenant2__snat_199517ce-8886-4012-8012-a091fea39c3c_5135cebd-7d57-4b8f-a668-ddcdb2b31c2f__1"
        ],
        "href": "http://10.84.14.8:8082/virtual-machine/f13118b6-1276-4faf-80e0-4e52ae962ac7",
        "attr": null,
        "uuid": "f13118b6-1276-4faf-80e0-4e52ae962ac7"
      }
    ],
    "fq_name": [
      "default-domain",
      "tenant2",
      "snat_199517ce-8886-4012-8012-a091fea39c3c_5135cebd-7d57-4b8f-a668-ddcdb2b31c2f"
    ],
    "uuid": "9e94e9ad-24f8-465e-b2dc-eef267af064f",
    "parent_type": "project",
    "parent_uuid": "fb053a0a-7ee0-4e38-b34f-e59a8750532f",
    "parent_href": "http://10.84.14.8:8082/project/fb053a0a-7ee0-4e38-b34f-e59a8750532f",
    "service_instance_properties": {
      "right_virtual_network": null,
      "left_ip_address": null,
      "availability_zone": null,
      "management_virtual_network": null,
      "auto_policy": false,
      "ha_mode": "active-standby",
      "virtual_router_id": null,
      "interface_list": [
        {
          "virtual_network": "default-domain:tenant2:public",
          "ip_address": null,
          "static_routes": null,
          "allowed_address_pairs": null
        },
        {
          "virtual_network": "default-domain:tenant2:snat-si-left_snat_199517ce-8886-4012-8012-a091fea39c3c_5135cebd-7d57-4b8f-a668-ddcdb2b31c2f",
          "ip_address": null,
          "static_routes": null,
          "allowed_address_pairs": null
        }
      ],
      "right_ip_address": null,
      "left_virtual_network": null,
      "scale_out": {
"auto_scale": true,
        "max_instances": 2
      }
    },
    "perms2": {
      "owner": "79031e0d5f244d2283ae119cb75dc6a0", ==== > admin
      "owner_access": 7,
      "global_access": 0,
      "share": []
    },
    "href": "http://10.84.14.8:8082/service-instance/9e94e9ad-24f8-465e-b2dc-eef267af064f",
    "id_perms": {
      "enable": true,
      "uuid": {
        "uuid_mslong": 11427015084404655710,
        "uuid_lslong": 12888438958516536911
      },
      "created": "2016-09-15T22:18:50.634660",
      "description": null,
      "creator": null,
      "user_visible": true,
      "last_modified": "2016-09-15T22:18:50.634660",
      "permissions": {
        "owner": "admin",
        "owner_access": 7,
        "other_access": 7,
        "group": "admin",
        "group_access": 7
      }
    },
    "logical_router_back_refs": [
      {
        "to": [
          "default-domain",
          "tenant2",
          "r1"
        ],
        "href": "http://10.84.14.8:8082/logical-router/199517ce-8886-4012-8012-a091fea39c3c",
        "attr": null,
        "uuid": "199517ce-8886-4012-8012-a091fea39c3c"
      }
    ],
    "display_name": "snat_199517ce-8886-4012-8012-a091fea39c3c_5135cebd-7d57-4b8f-a668-ddcdb2b31c2f",
    "service_template_refs": [
      {
        "to": [
          "default-domain",
          "netns-snat-template"
        ],
        "href": "http://10.84.14.8:8082/service-template/d65dcdd4-b7b3-4688-9c87-794fdc511093",
        "attr": null,
        "uuid": "d65dcdd4-b7b3-4688-9c87-794fdc511093"

api-log
======

INFO:contrail-api:__default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1-tenant2 useragent = Restler for node.js remote_ip = 192.168.10.3:9100 domain_name = default-domain project_name = tenant2 object_type = service_template response_time_in_usec = 32630 response_size = 19278 resp_code = 200 >>
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: u=user1-tenant2, r=[u'_member_'], o=service-instances, op=R, rules=6, proj:fb053a0a7ee04e38b34fe59a8750532f(tenant2), dom:None
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* admin-read:R,_member_:RUDC, (0,True)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1-tenant2, r='_member_'
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: +++ (R:fb053a0a-7ee0-4e38-b34f-e59a8750532f) "project" ["default-domain", "tenant2"] admin=no, mode=444 mask=707 perms=700, (usr=fb053a0a7ee04e38b34fe59a8750532f(tenant2)/own=fb053a0a7ee04e38b34fe59a8750532f/sh=[])
192.168.10.4 - - [2016-09-15 15:22:25] "GET /service-instances?detail=true&fields=virtual_machine_back_refs,port_tuples,interface_route_table_back_refs,route_aggregate_back_refs,routing_policy_back_refs,service_health_check_back_refs&parent_id=fb053a0a-7ee0-4e38-b34f-e59a8750532f HTTP/1.1" 200 133 0.054697
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:9e94e9ad-24f8-465e-b2dc-eef267af064f) "service_instance" ["default-domain", "tenant2", "snat_199517ce-8886-4012-8012-a091fea39c3c_5135cebd-7d57-4b8f-a668-ddcdb2b31c2f"] admin=no, mode=444 mask=007 perms=700, (usr=fb053a0a7ee04e38b34fe59a8750532f(tenant2)/own=79031e0d5f244d2283ae119cb75dc6a0/sh=[])
WARNING:contrail-api:__default__ [SYS_NOTICE]: VncApiError: rbac: user1-tenant2 doesn't have read permission in tenant 79031e0d5f244d2283ae119cb75dc6a0
INFO:contrail-api:__default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1-tenant2 useragent = Restler for node.js remote_ip = 192.168.10.3:9100 domain_name = default-domain project_name = tenant2 object_type = service_instance response_time_in_usec = 12585 response_size = 25 resp_code = 200 >>

Tags:

Revision history for this message

Deepinder Setia (dsetia) wrote on 2016-09-21:

Release note that service instance automatically created by system on behalf of a user will not be visible in UI.

tags:

added: releasenote

Ashish Ranjan (aranjan-n) on 2016-09-22

information type:

Proprietary → Public

Sachin Bansal (sbansal) on 2017-04-03

Changed in juniperopenstack:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.