Juniper Openstack

ContrailSecurity: global scope objects are not accessible by _member_ users

Bug #1730021 reported by Senthilnathan Murugappan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.1
Invalid
High
Senthilnathan Murugappan
Juniper Openstack r4.1.0.0-fcs "r4.1"
Trunk
Invalid
High
Senthilnathan Murugappan
Juniper Openstack r5.0.0

Bug Description

global scope objects (fwp, fwr, tags etal) are not accessible by non-admin users since the ownership of those objects is set to cloud-admin and the global_access flag is set 0
It should be set to 5 for other tenants to access the global objects.

        "fq_name": [
            "default-policy-management",
            "test-fwp"
        ],
        "href": "http://127.0.0.1:8095/firewall-policy/0a38707b-ebf6-4a10-b830-ede8e8ea7e69",
        "id_perms": {
            "created": "2017-11-03T23:51:11.059901",
            "creator": null,
            "description": null,
            "enable": true,
            "last_modified": "2017-11-03T23:51:20.806947",
            "permissions": {
                "group": "admin",
                "group_access": 7,
                "other_access": 7,
                "owner": "admin",
                "owner_access": 7
            },
            "user_visible": true,
            "uuid": {
                "uuid_lslong": 13272369686456729193,
                "uuid_mslong": 736462216617150992
            }
        },
        "name": "test-fwp",
        "parent_href": "http://127.0.0.1:8095/policy-management/d81d90a0-4cba-42f9-9e03-06b514419eb7",
        "parent_type": "policy-management",
        "parent_uuid": "d81d90a0-4cba-42f9-9e03-06b514419eb7",
        "perms2": {
            "global_access": 0,
            "owner": "cloud-admin",
            "owner_access": 7,
            "share": [
                {
                    "tenant": "c38c502d-342e-4e3d-8a82-0dc05550ac76",
                    "tenant_access": 7
                }
            ]
        },
        "uuid": "0a38707b-ebf6-4a10-b830-ede8e8ea7e69"
    }

Revision history for this message
Senthilnathan Murugappan (msenthil) wrote :

On the same note the default-policy-management object also needs to have global_access set to 5 else _member_ user is not able to access global objects from UI (since UI does /firewall-policys?detail=true&fields=application_policy_set_back_refs&parent_fq_name_str=default-policy-management&parent_type=policy-management).

Revision history for this message
Sachin Bansal (sbansal) wrote :

Users can select the permissions while creating objects. Can you try with that?

Senthilnathan Murugappan (msenthil)
tags: added: releasenote
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.