Juniper Openstack

rbac: default rbac rules are not created after enabling rbac

Bug #1648884 reported by Senthilnathan Murugappan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
Invalid
High
Deepinder Setia
Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk
Invalid
High
Deepinder Setia
Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

On 3.2-8 the cluster was initially provisioned with 'cloud-admin' as aaa_mode which is default.
Later on aaa_mode was set to rbac and the api service was restarted and observed that default-global-acl got created however the default rbac rules are not set.

{
    "api-access-list": {
        "api_access_list_entries": {
            "rbac_rule": []
        },
        "display_name": "default-api-access-list",
        "fq_name": [
            "default-global-system-config",
            "default-api-access-list"
        ],
        "href": "http://127.0.0.1:8095/api-access-list/d621afcd-9392-4212-a0c3-286184facbf4",
        "id_perms": {
            "created": "2016-12-09T20:09:32.350519",
            "creator": null,
            "description": null,
            "enable": true,
            "last_modified": "2016-12-09T20:26:03.562554",
            "permissions": {
                "group": "admin",
                "group_access": 7,
                "other_access": 7,
                "owner": "ctest-TestRbac-18714389",
                "owner_access": 7
            },
            "user_visible": true,
            "uuid": {
                "uuid_lslong": 11584147065835015156,
                "uuid_mslong": 15429807095827022354
            }
        },
        "name": "default-api-access-list",
        "parent_href": "http://127.0.0.1:8095/global-system-config/84a54180-2724-4080-9313-6fa5d6080587",
        "parent_type": "global-system-config",
        "parent_uuid": "84a54180-2724-4080-9313-6fa5d6080587",
        "perms2": {
            "global_access": 0,
            "owner": "f4d1f588438a424c9e6c2eebc1cbac29",
            "owner_access": 7,
            "share": []
        },
        "uuid": "d621afcd-9392-4212-a0c3-286184facbf4"
    }
}

Tags: config rbac
Revision history for this message
Senthilnathan Murugappan (msenthil) wrote :

FYI deleting the default global acl and restart of api service fixes the issue

Changed in juniperopenstack:
importance: Undecided → High
Jeba Paulaiyan (jebap)
tags: added: config rbac
Revision history for this message
Deepinder Setia (dsetia) wrote :

Senthil, I am unable to reproduce this. My steps

1) Install 3.2 build 12. aaa_mode is not set in testbed.py
2) System comes up without RBAC

root@dsetia-3:~# python /opt/contrail/utils/rbacutil.py --op read
AAA mode is cloud-admin

Oper = read
Name = ['default-global-system-config', 'default-api-access-list']
UUID = None
API Server = 127.0.0.1:8082

api-access-list ['default-global-system-config', 'default-api-access-list'] not found!

3) set aaa_mode to rbac in /etc/contrail/contrail-api.conf
4) Restart API server

root@dsetia-3:~# service contrail-api restart
contrail-api:0: stopped
contrail-api:0: started
root@dsetia-3:~#
root@dsetia-3:~#
root@dsetia-3:~# python /opt/contrail/utils/rbacutil.py --op read
AAA mode is rbac

Oper = read
Name = ['default-global-system-config', 'default-api-access-list']
UUID = None
API Server = 127.0.0.1:8082

Rules (5):
----------
 1 fqname-to-id *:CRUD,
 2 id-to-fqname *:CRUD,
 3 useragent-kv *:CRUD,
 4 documentation *:R,
 5 / *:R,

Revision history for this message
Jeba Paulaiyan (jebap) wrote :

Discussed this with Senthil. Not happening in 3.2-13

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.