Juniper Openstack

New object creation is failing after enabling RBAC under previously existing tenants.

Bug #1706218 reported by Aniruddh Amonker
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
Fix Committed
Medium
Suresh Vinapamula
Juniper Openstack r3.2.5.0
R4.0
Fix Committed
Medium
Suresh Vinapamula
Juniper Openstack r4.0.1.0 "r4.0.1.0"
Trunk
Fix Committed
Medium
Suresh Vinapamula
Juniper Openstack r4.1.0.0-fcs "r4.1"

Bug Description

Contrail Release: 3.2.3

Problem Description:

“Create Network” operation using GUI is failing for certain tenants after enabling RBAC feature even though “virtual_network” object has been assigned “Create” rights for “_member_”.

This is only affecting tenants that existed before enabling RBAC feature. We created some new tenants and we were able to successfully create new networks using the same tenant users.

Also issue is not only tied to "virtual network" creation, any new object creation under pre-existing tenants is also experiencing the same error

This has been identified as a known limitation. Objects (including projects) created prior to enabling RBAC will not be accessible to non-admin users after RBAC is enabled. This is because the ‘onwer’ field for such objects is set to ‘service’ tenant (which is because neutron didn’t pass the tenant information correctly), making them accessible to only ‘service’ tenant.

This LP defect is for an enhancement request to fix this behavior in upcoming releases where enabling RBAC should also make ownership changes of objects accordingly under pre-existing tenants.

Current workaround is to manually change the ownership of objects including projects using "/opt/contrail/utils/Chmod2.py" script

See original description
Aniruddh Amonker (aamonker)
description: updated
information type: Proprietary → Private
Sachin Bansal (sbansal)
Changed in juniperopenstack:
assignee: nobody → Suresh Vinapamula (sureshk)
Jeba Paulaiyan (jebap)
tags: added: config
Sachin Bansal (sbansal)
information type: Private → Public
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34228
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34227
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34228
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34227
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34228
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34301
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34227
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34228
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34301
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/34228
Committed: http://github.com/Juniper/contrail-controller/commit/8ce0d0e8603f343d14740c0ecd4d311a09c9e2ae
Submitter: Zuul (<email address hidden>)
Branch: master

commit 8ce0d0e8603f343d14740c0ecd4d311a09c9e2ae
Author: Suresh Venkata <email address hidden>
Date: Tue Aug 1 12:16:13 2017 -0700

Operations on objects created pre RBAC fail, on enabling RBAC.

Description: Certain objects created pre RBAC has owner ID not
same as the id of the project in which those objects are created.
This is because the project information passed was the service
tenant. This is causing failure of operations on those objects
after enbaling RBAC.
This script iterates through all objects in project and changes
it's owner field to the project id.
Help on how to use the script is available in the script.
This is a partial fix. Comeplete fix will be available once we
neutron handler code in API server.

Change-Id: I478c967746a525eab156a8836fc7580518a384a3
Partial-Bug: #1706218

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/34227
Committed: http://github.com/Juniper/contrail-controller/commit/43c4b63c67e43ce371b0b14e31e49edc0eae48de
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 43c4b63c67e43ce371b0b14e31e49edc0eae48de
Author: Suresh Venkata <email address hidden>
Date: Tue Aug 1 11:59:30 2017 -0700

Operations on objects created pre RBAC fail, on enabling RBAC.

Description: Certain objects created pre RBAC has owner ID not
same as the id of the project in which those objects are created.
This is because the project information passed was the service
tenant. This is causing failure of operations on those objects
after enbaling RBAC.
This script iterates through all objects in project and changes
it's owner field to the project id.
Help on how to use the script is available in the script.
This is a partial fix. Comeplete fix will be available once we
neutron handler code in API server.

Change-Id: I478c967746a525eab156a8836fc7580518a384a3
Partial-Bug: #1706218

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/34301
Committed: http://github.com/Juniper/contrail-controller/commit/ddc3ab1cefe797adc2d2eeae4355f3ceb070361e
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit ddc3ab1cefe797adc2d2eeae4355f3ceb070361e
Author: Suresh Venkata <email address hidden>
Date: Tue Aug 1 12:16:13 2017 -0700

Operations on objects created pre RBAC fail, on enabling RBAC.

Description: Certain objects created pre RBAC has owner ID not
same as the id of the project in which those objects are created.
This is because the project information passed was the service
tenant. This is causing failure of operations on those objects
after enbaling RBAC.
This script iterates through all objects in project and changes
it's owner field to the project id.
Help on how to use the script is available in the script.
This is a partial fix. Comeplete fix will be available once we
neutron handler code in API server.

Change-Id: I478c967746a525eab156a8836fc7580518a384a3
Partial-Bug: #1706218

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34567
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34568
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34569
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34567
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34569
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34568
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34569
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34567
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34568
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34569
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34568
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34567
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34569
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34568
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34569
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34568
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/34568
Committed: http://github.com/Juniper/contrail-controller/commit/d746b733a6ff692efcc06f2a4a1e6d42dd168eba
Submitter: Zuul (<email address hidden>)
Branch: master

commit d746b733a6ff692efcc06f2a4a1e6d42dd168eba
Author: Suresh Venkata <email address hidden>
Date: Fri Aug 18 18:27:32 2017 -0700

Operations on objects created pre RBAC fail, on enabling RBAC.

Description: Certain objects created pre RBAC has owner ID not
same as the id of the project in which those objects are created.
This is because the project information passed was the service
tenant. This is causing failure of operations on those objects
after enbaling RBAC.
This change will set appropriate tenant ids as the owner.

Change-Id: I108a7543b5d1241d85471382bb3779823e86b0dd
Closes-Bug: #1706218

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/34569
Committed: http://github.com/Juniper/contrail-controller/commit/572d56ec205a9a579262e7e4569a91b0a06fb1a9
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 572d56ec205a9a579262e7e4569a91b0a06fb1a9
Author: Suresh Venkata <email address hidden>
Date: Fri Aug 18 18:27:32 2017 -0700

Operations on objects created pre RBAC fail, on enabling RBAC.

Description: Certain objects created pre RBAC has owner ID not
same as the id of the project in which those objects are created.
This is because the project information passed was the service
tenant. This is causing failure of operations on those objects
after enbaling RBAC.
This change will set appropriate tenant ids as the owner.

Change-Id: I108a7543b5d1241d85471382bb3779823e86b0dd
Closes-Bug: #1706218

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34567
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34994
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34995
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34567
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/34994
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34567
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/34995
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/34994
Committed: http://github.com/Juniper/contrail-controller/commit/78a086fe7e84dc09f3eb0109bf014d38a220bf95
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 78a086fe7e84dc09f3eb0109bf014d38a220bf95
Author: Suresh Venkata <email address hidden>
Date: Mon Aug 28 11:21:56 2017 -0700

Operations on objects created pre RBAC fail, on enabling RBAC.

Description: Certain objects created pre RBAC has owner ID not
same as the id of the project in which those objects are created.
This is because the project information passed was the service
tenant. This is causing failure of operations on those objects
after enbaling RBAC.
This change will set appropriate tenant ids as the owner.

Change-Id: I7ce9a8080b76b0ce15bd2fecc51b3a8da3903c3d
Closes-Bug: #1706218

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/34567
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/34567
Committed: http://github.com/Juniper/contrail-controller/commit/c210fd726525361b219b0709c87c9b0a5580a767
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit c210fd726525361b219b0709c87c9b0a5580a767
Author: Suresh Venkata <email address hidden>
Date: Mon Aug 28 11:02:33 2017 -0700

Operations on objects created pre RBAC fail, on enabling RBAC.

Description: Certain objects created pre RBAC has owner ID not
same as the id of the project in which those objects are created.
This is because the project information passed was the service
tenant. This is causing failure of operations on those objects
after enbaling RBAC.
This change will set appropriate tenant ids as the owner.

Change-Id: I108a7543b5d1241d85471382bb3779823e86b0dd
Closes-Bug: #1706218

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/34995
Committed: http://github.com/Juniper/contrail-controller/commit/b1415ed6297337512adf365e4f53bfefb9000783
Submitter: Zuul (<email address hidden>)
Branch: master

commit b1415ed6297337512adf365e4f53bfefb9000783
Author: Suresh Venkata <email address hidden>
Date: Mon Aug 28 11:21:56 2017 -0700

Operations on objects created pre RBAC fail, on enabling RBAC.

Description: Certain objects created pre RBAC has owner ID not
same as the id of the project in which those objects are created.
This is because the project information passed was the service
tenant. This is causing failure of operations on those objects
after enbaling RBAC.
This change will set appropriate tenant ids as the owner.

Change-Id: I7ce9a8080b76b0ce15bd2fecc51b3a8da3903c3d
Closes-Bug: #1706218

Jim Reilly (jpreilly)
tags: added: blocker
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.