RBAC Permission Denied

Hi,

On a setup with 3 nodes (running Centos 7.3):
-Openstack node (Mitaka)
-Contrail config, controller, analytics node (Contrail 3.2.5)
-compute node
The Openstack was installed first, then Contrail was installed and provisioned using the fab tool.

Reproduce steps:
1. Enable RBAC authentication
2. Test RBAC authentication in the GUI:
   a. Create a Member role user named "test".
   b. In the GUI go to Configure->Infrastructure->RBAC(global) and assign *.* CRUD rights for Member role.
   c. Check in the CLI that everything is ok:
[root@contrail lib]# python /opt/contrail/utils/rbacutil.py --op read
AAA mode is rbac

Oper = read
Name = ['default-global-system-config', 'default-api-access-list']
UUID = None
API Server = 127.0.0.1:8082

Rules (8):
----------
 1 fqname-to-id *:CRUD,
 2 id-to-fqname *:CRUD,
 3 useragent-kv *:CRUD,
 4 documentation *:R,
 5 /.* *:R,
 6 *.* Member:R,
 7 / *:R,
 8 *.* Member:CRUD,

   d. In the GUI log in as the Member and try to create a simple virtual network.
      It will succeed.

Conclusion: Basic RBAC is working ok.

3. Attempt a bit more complicated test:
   In the GUI:
   a. Remove *.* CRUD rights from Member.
   b. Replace with:
      *.* R for Member
      virtual-networks,* CRUD for Member
      network-ipams,* CRUD for Member

Check the CLI:
[root@contrail lib]# python /opt/contrail/utils/rbacutil.py --op read
AAA mode is rbac

Oper = read
Name = ['default-global-system-config', 'default-api-access-list']
UUID = None
API Server = 127.0.0.1:8082

Rules (10):
----------
 1 fqname-to-id *:CRUD,
 2 id-to-fqname *:CRUD,
 3 useragent-kv *:CRUD,
 4 documentation *:R,
 5 /.* *:R,
 6 *.* Member:R,
 7 / *:R,
 8 *.* Member:R,
 9 virtual-networks.* Member:CRUD,
10 network-ipams.* Member:CRUD,

    c. Go back to the GUI and as the Member attempt to create a new virtual-network. It will fail!
       The error will be: Permission Denied. (see attachment).

Additional info:
I have enabled debugging and check in the contrail-api.log
In the first case when everything is ok, I can see a long list of RBAC checks being done:

09/08/2017 05:22:10 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiNotice: rbac: +++ (R:67b6047f-425a-459b-b0bc-853fc1f7269f) project ['default-domain', 'admin'] admin=no, mode=444 mask=707 perms=700, (usr=67b6047f425a459bb0bc853fc1f7269f(admin)/own=67b6047f425a459bb0bc853fc1f7269f/sh=[])
09/08/2017 05:22:14 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiNotice: rbac: +++ (W:67b6047f-425a-459b-b0bc-853fc1f7269f) project ['default-domain', 'admin'] admin=no, mode=222 mask=707 perms=700, (usr=67b6047f425a459bb0bc853fc1f7269f(admin)/own=67b6047f425a459bb0bc853fc1f7269f/sh=[])
09/08/2017 05:22:14 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiNotice: rbac: +++ (R:f4f89069-7aef-4c8c-8c71-8dd7728b1cd8) virtual_network ['default-domain', 'admin', 'sumi'] admin=no, mode=444 mask=707 perms=700, (usr=67b6047f425a459bb0bc853fc1f7269f(admin)/own=67b6047f425a459bb0bc853fc1f7269f/sh=[])

In the second case, I can only see one check and that check is also successful, but somehow the other checks are not done:

09/08/2017 05:12:41 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiNotice: rbac: +++ (R:67b6047f-425a-459b-b0bc-853fc1f7269f) project ['default-domain', 'admin'] admin=no, mode=444 mask=707 perms=700, (usr=67b6047f425a459bb0bc853fc1f7269f(admin)/own=67b6047f425a459bb0bc853fc1f7269f/sh=[])

Is this a known issue? I RBAC supposed to be used with such granularity?

Bottom line: *.* CRUD works for Member. Just specific rights will not be enough.
I suspected that there are some dependencies, so I went in the GUI and added all the items from the Object list one by one, added * for the Property and added CRUD for each one of them (more than 50 items).
Even after doing this I was still unable to create a new network as the Member user in the GUI.