OpenStack Dashboard (Horizon)

Updating of firewall-rule while attached to firewall via non-admin user shows exception on Horizon

Bug #1699717 reported by Puneet Arora on 2017-06-22

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Neutron FWaaS dashboard	Fix Released	Undecided	Adit Sarfaty
	OpenStack Dashboard (Horizon)	Won't Fix	Undecided	Adit Sarfaty

Bug Description

Created non-admin user using below commands:-
# openstack project create sam
# openstack user create --password openstack --project acdc3b0348224a019878d628cc40681c sam-user
# openstack role create user-role
# openstack role add --project acdc3b0348224a019878d628cc40681c --user sam-user user-role

Steps:-
1) Created firewall-rule
2) Created firewall policy and firewall-rule.
3) Created firewall and add firewall-policy to it
4) Now try to update firewall-rule using non-admin user it shows exception.
Error: Failed to update rule fire-rule-sam: {u'protocol': u'tcp', u'description': u'', 'attributes_to_update': [u'protocol', u'name', u'enabled', u'source_ip_address', u'destination_ip_address', u'action', u'source_port', u'shared', u'destination_port', u'ip_version', u'description'], u'source_port': None, u'source_ip_address': None, u'destination_ip_address': None, 'firewall_policy_id': u'ce84a478-3eaf-45ba-9d00-2f82b90916e4', u'destination_port': None, 'id': u'86850f40-6b26-4849-8eb9-f65b4136cf87', u'name': u'fire-rule-sam', 'tenant_id': u'acdc3b0348224a019878d628cc40681c', u'enabled': True, u'action': u'allow', 'shared': False, 'project_id': u'acdc3b0348224a019878d628cc40681c', u'ip_version': 4} is disallowed by policy rule (rule:update_firewall_rule and rule:update_firewall_rule:shared) with {'project_id': u'acdc3b0348224a019878d628cc40681c', 'domain': None, 'project_name': u'sam', 'user_id': u'2e4470864c674331bec8b9f25d546e04', 'roles': [u'user-role'], 'user_domain_id': None, 'service_project_id': None, 'project_domain': None, 'tenant_id': u'acdc3b0348224a019878d628cc40681c', 'service_user_domain_id': None, 'service_project_domain_id': None,

But issue doesn't comes when using cli command to update firewall-rules for non-admin user.
Use credentials for non-admin tenant then run below command:-

$ neutron firewall-rule-update 86850f40-6b26-4849-8eb9-f65b4136cf87 --protocol tcp --action reject
Updated firewall_rule: 86850f40-6b26-4849-8eb9-f65b4136cf87

So above command via cli is executed fine but with horizon it shows issue.

Tags:

Revision history for this message

Adit Sarfaty (asarfaty) wrote on 2017-06-25:

The problem is that the "shared" attribute of the rule is added to the request
body (although unchanged), triggering the policy rule that forbids changing the
"shared" rule attribute.

Changed in horizon:
assignee:	nobody → Adit Sarfaty (asarfaty)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-25: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/477207

Changed in horizon:
status:	New → In Progress

Akihiro Motoki (amotoki) on 2017-06-27

tags:

added: fwaas

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-04: Change abandoned on horizon (master)

Change abandoned by Adit Sarfaty (<email address hidden>) on branch: master
Review: https://review.openstack.org/477207
Reason: Should be fixed in Neutron FWaaS dashboard

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-09:

Change abandoned by Adit Sarfaty (<email address hidden>) on branch: master
Review: https://review.openstack.org/477207

Akihiro Motoki (amotoki) on 2017-07-13

Changed in neutron-fwaas-dashboard:
assignee:	nobody → Adit Sarfaty (asarfaty)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-13: Fix merged to neutron-fwaas-dashboard (master)

Reviewed: https://review.openstack.org/481008
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas-dashboard/commit/?id=a767cef2ad7973696b1723e17f518cc6435aaacc
Submitter: Jenkins
Branch: master

commit a767cef2ad7973696b1723e17f518cc6435aaacc
Author: Adit Sarfaty <email address hidden>
Date: Thu Jul 6 15:09:07 2017 +0300

Fix FWaaS create/update rule with non-admin

Creating and updating a shared rule is forbidden for non admin user.

    This patch makes sure the 'shared' attribute is disabled, and not added
    to the request body of the update request, so the request will not fail
    in neutron.

Change-Id: I439947198bd9b0a647640f3f663ba7029b2507b4
Closes-Bug: #1699717

Changed in neutron-fwaas-dashboard:
status:	In Progress → Fix Released

Revision history for this message

Akihiro Motoki (amotoki) wrote on 2017-07-25:

All fixes on fwaas dashboard should happen in neutron-fwaas-dashboard.

Changed in horizon:
status:	In Progress → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.