Mirantis OpenStack

Unable to list instances for all tenants as non-admin, even while policy.json is configured properly

Bug #1648606 reported by Rene Soto
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Won't Fix
Medium
Sergii Rizvan
Mirantis OpenStack 7.0-updates

Bug Description

Requesting Backport of https://bugs.launchpad.net/nova/+bug/1464381

Detailed bug description:
Unable to list all instances for all tenants as a non-admin user, even with policy.json configured correctly

Steps to reproduce:
1. Create a new tenant
2. Create a new user with the _member_ role
3. Edit /etc/nova/policy.json and set the following:
"compute:get_all_tenants": "is_admin:True or role:<ROLENAME>",
4. Restart nova-api (even though I'm not certain this is necessary)
5. While scoped to the non-admin user, run the command "nova list --all-tenants"

Expected results:
Be returned with all instances from all tenants
Actual result:
Only returned with instances in the project that I'm scoped to
Reproducibility:
100%
Workaround:
Applied the fix on https://bugs.launchpad.net/nova/+bug/1464381 and it resolved the issue.
Impact:
Certain use cases would require a user with a specific role to have the ability to list all instances
Description of the environment:
- Operation system: Ubuntu 14.04
- Versions of components: MOS 7.0
- Reference architecture: N/A
- Network model: Neutron with Provider Network
- Related projects installed: N/A
Additional information:
Please provide a backport for this fix.

Rene Soto (rsoto)
summary: - Unable to list instances for all tenants as non-admin, even with
- policy.json set properly
+ Unable to list instances for all tenants as non-admin, even while
+ policy.json is configured properly
tags: added: ct1
Vitaly Sedelnik (vsedelnik)
Changed in mos:
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → MOS Maintenance (mos-maintenance)
Sergii Rizvan (srizvan)
Changed in mos:
assignee: MOS Maintenance (mos-maintenance) → Sergii Rizvan (srizvan)
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Fix proposed to openstack/nova (openstack-ci/fuel-7.0/2015.1.0)

Fix proposed to branch: openstack-ci/fuel-7.0/2015.1.0
Change author: Davanum Srinivas <email address hidden>
Review: https://review.fuel-infra.org/30024

Changed in mos:
status: Confirmed → In Progress
Sergii Rizvan (srizvan)
Changed in mos:
milestone: 7.0-updates → 7.0-mu-7
Revision history for this message
Sergii Rizvan (srizvan) wrote :

There is might be possible security issue with the bugfix.

Assume, that content of /etc/nova/policy.json has been changed on already deployed environment. In our upgrade procedure [1] we use mos_apply_mu.py script [2]. This script call ‘apt-get upgrade’ with the ' -o Dpkg::Options::="--force-confdef"' and ' -o Dpkg::Options::="--force-confold"’ options. This means that configuration files will be changed only if they weren’t modified previously. So in situation when content of /etc/nova/policy.json hasn’t been changed, everything should work without any problem. But if content of /etc/nova/policy.json has been changed before upgrade, we will end up with upgraded nova-api and unchanged policy.json. In this situation non-admin users may obtain access to all tenants even if this wasn’t explicitly permitted via adding rules to policy.json.

That’s why we’re not going to merge the bugfix. If some customer needs this feature to be working, it’s possible to apply a patch from the next gerrit CR https://review.fuel-infra.org/#/c/30024/

[1] https://docs.mirantis.com/openstack/fuel/fuel-7.0/maintenance-updates.html#mos70mu-how-to-update

[2] https://raw.githubusercontent.com/Mirantis/tools-sustaining/master/scripts/mos_apply_mu.py

Changed in mos:
status: In Progress → Won't Fix
milestone: 7.0-mu-7 → 7.0-updates
Revision history for this message
Fuel Devops McRobotson (fuel-devops-robot) wrote : Change abandoned on openstack/nova (openstack-ci/fuel-7.0/2015.1.0)

Change abandoned by Sergii Rizvan <email address hidden> on branch: openstack-ci/fuel-7.0/2015.1.0
Review: https://review.fuel-infra.org/30024
Reason: Please, read details here https://bugs.launchpad.net/mos/+bug/1648606/comments/2

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.