RBAC Permission Denied
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Juniper Openstack |
New
|
Undecided
|
Bogdan Ratiu | ||
OpenContrail |
New
|
Undecided
|
Unassigned |
Bug Description
Hi,
On a setup with 3 nodes (running Centos 7.3):
-Openstack node (Mitaka)
-Contrail config, controller, analytics node (Contrail 3.2.5)
-compute node
The Openstack was installed first, then Contrail was installed and provisioned using the fab tool.
Reproduce steps:
1. Enable RBAC authentication
2. Test RBAC authentication in the GUI:
a. Create a Member role user named "test".
b. In the GUI go to Configure-
c. Check in the CLI that everything is ok:
[root@contrail lib]# python /opt/contrail/
AAA mode is rbac
Oper = read
Name = ['default-
UUID = None
API Server = 127.0.0.1:8082
Rules (8):
----------
1 fqname-to-id *:CRUD,
2 id-to-fqname *:CRUD,
3 useragent-kv *:CRUD,
4 documentation *:R,
5 /.* *:R,
6 *.* Member:R,
7 / *:R,
8 *.* Member:CRUD,
d. In the GUI log in as the Member and try to create a simple virtual network.
It will succeed.
Conclusion: Basic RBAC is working ok.
3. Attempt a bit more complicated test:
In the GUI:
a. Remove *.* CRUD rights from Member.
b. Replace with:
*.* R for Member
virtual-
network-
Check the CLI:
[root@contrail lib]# python /opt/contrail/
AAA mode is rbac
Oper = read
Name = ['default-
UUID = None
API Server = 127.0.0.1:8082
Rules (10):
----------
1 fqname-to-id *:CRUD,
2 id-to-fqname *:CRUD,
3 useragent-kv *:CRUD,
4 documentation *:R,
5 /.* *:R,
6 *.* Member:R,
7 / *:R,
8 *.* Member:R,
9 virtual-networks.* Member:CRUD,
10 network-ipams.* Member:CRUD,
c. Go back to the GUI and as the Member attempt to create a new virtual-network. It will fail!
The error will be: Permission Denied. (see attachment).
Additional info:
I have enabled debugging and check in the contrail-api.log
In the first case when everything is ok, I can see a long list of RBAC checks being done:
09/08/2017 05:22:10 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiNotice: rbac: +++ (R:67b6047f-
09/08/2017 05:22:14 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiNotice: rbac: +++ (W:67b6047f-
09/08/2017 05:22:14 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiNotice: rbac: +++ (R:f4f89069-
In the second case, I can only see one check and that check is also successful, but somehow the other checks are not done:
09/08/2017 05:12:41 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiNotice: rbac: +++ (R:67b6047f-
Is this a known issue? I RBAC supposed to be used with such granularity?
Bottom line: *.* CRUD works for Member. Just specific rights will not be enough.
I suspected that there are some dependencies, so I went in the GUI and added all the items from the Object list one by one, added * for the Property and added CRUD for each one of them (more than 50 items).
Even after doing this I was still unable to create a new network as the Member user in the GUI.
Changed in juniperopenstack: | |
assignee: | nobody → Suresh Vinapamula (sureshk) |
After the bug fix https:/ /bugs.launchpad .net/juniperope nstack/ +bug/1699097, rules have to be configured against singular object type for individual object CRUD operations, and plural object if multiget is involved.