build 60 Rbac : Permission denied when any user is a member of multiple tenants
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R3.0 |
Fix Committed
|
High
|
Rahul | |||
R3.1 |
Fix Committed
|
High
|
Siva Bavanasi | |||
Trunk |
Fix Committed
|
High
|
Siva Bavanasi |
Bug Description
Issue: Project API Access CRUD for role:contrail given to two tenants tenant1 and tenant2 (see below), Permission denied seen on config pages for tenant1(one of the tenants), for tenant2 CRUD(as per the rule created, no error seen) worked fine
If I remove 'user1' member from tenant2, then CRUD access for 'tenant1' starts working (as per the rule) normally.
Tenant/user details below
User : user1
Tenants:
user1 tenant1 role:contrail
user1 tenant2 role:contrail
UI login:
user/pass: user1/contrail123
Project API Access
ProjectObject.
default-
default-
contrail-api log:
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1, r=[u'contrail', u'_member_'], o=project, op=R, rules=6, proj:dcbe861ff9
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* contrail:CRUD, (0,True)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1, r='contrail,
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = admin useragent = nodeg13:
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:c4891e62-
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1 doesn't have read permission in tenant c4891e62934045e
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiConfigLog: api_log = << identifier_uuid = c4891e62-
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1 useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = tenant2 object_type = project response_
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1, r=[u'contrail', u'_member_'], o=virtual-networks, op=R, rules=6, proj:dcbe861ff9
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* contrail:CRUD, (0,True)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1, r='contrail,
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:c4891e62-
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1 doesn't have read permission in tenant c4891e62934045e
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiConfigLog: api_log = << object_type = virtual_networks url = http://
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1 useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = tenant2 object_type = virtual_network response_
09/19/2016 05:39:14 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = admin useragent = nodeg13:
Changed in juniperopenstack: | |
milestone: | r3.0.3.0 → none |
description: | updated |
Fixed in mainline with https:/ /review. opencontrail. org/#/c/ 24124/
Fixed in R3.1 with https:/ /review. opencontrail. org/#/c/ 24250/