OpenStack Dashboard (Horizon)

Regular users cannot manage security groups in Horizon

Bug #1628141 reported by Deltik
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Low
Deltik
OpenStack Dashboard (Horizon) pike-1

Bug Description

As a regular user (a user without the "admin" role), if I go to Horizon » Project » Compute » Access & Security » Security Groups, by default, the options to

* delete security groups,
* create security groups,
* update security groups,
* create security group rules, and
* delete security group rules

… do not show up.

If my Horizon IP address is 10.12.53.10, the page that should be showing those options would be https://10.12.53.10/project/access_and_security/ under the "Security Groups" tab.

This happens if the "network" (Neutron) service is enabled.

My regular user does have permission to manipulate security groups, which I checked with `nova secgroup-create`, `neutron security-group-delete`, etc.

Also, I could bring up the Horizon interface to create new security groups by going directly to https://10.12.53.10/project/access_and_security/security_groups/create/ , and filling out and submitting the form would create a new security group, but the options to edit or delete it still do not show up in Horizon after creating the new security group.

--------------------------------------------------------------------------

The cause is that "openstack_dashboard/conf/neutron_policy.json" does not contain security group and security group rule policies.

If you go to "openstack_dashboard/dashboards/project/access_and_security/security_groups/tables.py", you can see the allowed() method of each tables.LinkAction. Notice that each checks if the "network" service is enabled, and if so, it sets the policy to check to be (("network", "create_security_group"),), (("network", "delete_security_group"),), and so on.

The problem is that the file that is supposed to contain those policies, "openstack_dashboard/conf/neutron_policy.json", does not contain those policies.

--------------------------------------------------------------------------

To fix the problem, add a comma to the end of the last policy in "openstack_dashboard/conf/neutron_policy.json", then before the closing "}", add the following lines:

    "delete_security_group": "rule:regular_user",
    "create_security_group": "rule:regular_user",
    "update_security_group": "rule:regular_user",
    "get_security_group": "rule:regular_user",
    "create_security_group_rule": "rule:regular_user",
    "delete_security_group_rule": "rule:regular_user"

Now, regular users can manage security groups in Horizon.

See original description
Deltik (deltik)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/377777

Changed in horizon:
assignee: nobody → Deltik (deltik)
status: New → In Progress
Revision history for this message
Rob Cresswell (robcresswell-deactivatedaccount) wrote :

Policy files are intended to be updated with a copy from your services anyway. So this is a very low priority bug.

Changed in horizon:
importance: Undecided → Low
milestone: none → ocata-1
Rob Cresswell (robcresswell-deactivatedaccount)
tags: added: rbac
Revision history for this message
Deltik (deltik) wrote :

I found that Neutron does not implement the policy checks for security groups that Horizon does.

The policy checks were introduced in commit ee92fab5103e1f77bac237460f36eb28e325adb3.
Review: https://review.openstack.org/86406/

Was it intended that there would be separate policy checks in Horizon that would not be present in Neutron? Should the policy checks be expanded to Neutron as well or removed altogether?

Rob Cresswell (robcresswell-deactivatedaccount)
Changed in horizon:
milestone: ocata-1 → ocata-2
Rob Cresswell (robcresswell-deactivatedaccount)
Changed in horizon:
milestone: ocata-2 → next
Rob Cresswell (robcresswell-deactivatedaccount)
tags: added: ocata-backport-potential
Changed in horizon:
milestone: next → pike-1
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/377777
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=ed86badc4290fc97bbb4fcfac53afffc69080243
Submitter: Jenkins
Branch: master

commit ed86badc4290fc97bbb4fcfac53afffc69080243
Author: Nick Liu <email address hidden>
Date: Tue Sep 27 09:51:22 2016 -0500

    Remove unimplemented policy checks for Neutron

    The dashboard is doing policy checks for Neutron that aren't even being
    done by Neutron itself.

    This fixes bug #1628141, which was caused by change-id
    I9f4e9209606999e5529e5ba068640d607b817f56, which was meant for Nova and
    not for Neutron.

    This change makes the policy checks for Nova secgroups only, if Neutron
    networking is not enabled.

    Neutron policy checks removed:

     * delete_security_group
     * create_security_group
     * update_security_group
     * get_security_group
     * create_security_group_rule
     * delete_security_group_rule

    Change-Id: I46b46fcd4cbc7c8e06f481eac9606c330fc75351
    Closes-Bug: #1628141

Changed in horizon:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/horizon 12.0.0.0b1

This issue was fixed in the openstack/horizon 12.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/481174

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (stable/ocata)

Change abandoned by Rob Cresswell (<email address hidden>) on branch: stable/ocata
Review: https://review.openstack.org/481174

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.