[vcenter only 5.0]Attaching contrail-security tag to VM is failing
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R5.0 |
Fix Released
|
High
|
ram yadav | |||
Trunk |
Fix Committed
|
High
|
ram yadav |
Bug Description
Edouard,
On second thought, its not right to derive the VM’s owner from the VMI since the VMI can belong to different project like in case of port borrowed from shared-VN.
Believe the behavior from the config perspective is good and we don’t need any patch.
Just my 2 cents.
- Senthil
On 7/5/18, 4:02 AM, "Sachchidanand Vaidya" <email address hidden> wrote:
+Ram
Sent from my iPhone
> On Jul 4, 2018, at 11:51 PM, Edouard Thuleau <email address hidden> wrote:
>
> Hi,
>
> Yes, seems to be specific to vcenter case. For neutron, 'perms2.owner'
> field is set for most of the created resources in the Contrail plugin
> code and if not API server fill it with the HTTP_X_PROJECT_ID request
> header if set (if not fall back to 'cloud-admin').
> I think we have to wrote a method to return the project owner if
> 'perms2.owner' field is not present to treat each case separately.
> For example, for VM get project from VMI ref, for IIP get project from
> VN or VMI ref or for FIP get FIP pool parent then VN parent then project...
> Or perhaps before treat each cases, check if the parent resource (if it
> exists) have 'perms2.owner' set, if yes consider it as the resource owner.
>
> Édouard.
>
>> On 03/07/2018 20:44, Senthilnathan Murugappan wrote:
>> Hi Edouard,
>>
>> Yes that would work too.
>> But since multi-tenancy is not supported so may be local scope usecase itself doesn’t fit?
>>
>> BTW in Openstack environments even if RBAC is not enabled we do populate the perms2 with correct ownership information so this issue is specific to vCenter.
>>
>> Thanks,
>> Senthil
>>
>>
>> On 7/3/18, 2:04 AM, "Edouard Thuleau" <email address hidden> wrote:
>>
>> Hi Senthil,
>>
>> The problem is specific to VM resource as it does not have parent and if
>> the RBAC is not enable, we could not determine the domain/project it
>> belongs to. In first contrail model (before 1.10, if I remember
>> correctly) it was the owner of the VMI but now it only have refs to its
>> VMIs and that VMIs are owned by the project. And in Contrail model, a VM
>> should not exists if it does not have at least one ref to a VMI.
>>
>> So for that specific case (VM and RBAC not enabled), we could try to
>> determine the owner with the VMI ref, what do you think?
>>
>> Édouard.
>>
>>> On 02/07/2018 22:31, Senthilnathan Murugappan wrote:
>>> Correcting edouard’s email id.
>>>
>>> *From: *Senthilnathan Murugappan <email address hidden>
>>> *Date: *Monday, July 2, 2018 at 1:29 PM
>>> *To: *Aswani Kumar Gaddam <email address hidden>, Édouard Thuleau
>>> <email address hidden>
>>> *Cc: *Sandip Dey <email address hidden>, Sudheendra Rao
>>> <email address hidden>, Sachchidanand Vaidya <email address hidden>
>>> *Subject: *Re: Contrail-security regression on vcenter setup
>>>
>>> + Edouard, Sachin
>>>
>>> Sachin, Edouard,
>>>
>>> In vCenter, perms2 ownership of the object (virtual-machine in this
>>> case) is set to ‘cloud-admin’ unlike openstack where in it would be the
>>> project it belongs to.
>>>
>>> We may either need to set the perms2 ownership to ‘vCenter’ projects
>>> uuid or say we support global scope alone in vCenter environment since
>>> it doesn’t support multi-tenancy.
>>>
>>> FYI:
>>>
>>> http://
>>>
>>> Thanks,
>>>
>>> Senthil
>>>
>>> *From: *Aswani Kumar Gaddam <email address hidden>
>>> *Date: *Sunday, July 1, 2018 at 7:55 AM
>>> *To: *Senthilnathan Murugappan <email address hidden>
>>> *Cc: *Sandip Dey <email address hidden>, Sudheendra Rao
>>> <email address hidden>
>>> *Subject: *Contrail-security regression on vcenter setup
>>>
>>> Hi Senthil,
>>>
>>> I am running contrail-security regression on 5.0 vcenter setup
>>>
>>> All local scope testcases failing while adding tag to virtual_machine
>>>
>>> I debugged and found its not able to determine the scope of the tag
>>>
>>> Can you please help me to debug this
>>>
>>> I tried to attach the same tag to virtual-network and its working
>>>
>>> vh=VncApi(
>>>
>>> vh.tag_
>>>
>>> <vnc_api.
>>>
>>>>>> ta=vh.tag_
>>>
>>> Tried to set to virtual-network
>>>
>>> vn=vh.virtual_
>>>
>>>>>> tag.tag_value
>>>
>>> u'web'
>>>
>>>>>> tag.tag_type_name
>>>
>>> u'tier'
>>>
>>>>>> vh.set_
>>>
>>> {}
>>>
>>> * *tag_refs*:
>>>
>>> [
>>>
>>> o {
>>> + *to*:
>>>
>>> [
>>>
>>> # "default-domain",
>>> # "vCenter",
>>> # "application=eng"
>>>
>>> ],
>>>
>>> + *href*: "http://
>>> + *attr*: null,
>>> + *uuid*: "6421c191-
>>>
>>> },
>>>
>>> o {
>>> + *to*:
>>>
>>> [
>>>
>>> # "default-domain",
>>> # "vCenter",
>>> # "tier=web"
>>>
>>> ],
>>>
>>> + *href*: "http://
>>> + *attr*: null,
>>> + *uuid*: "41f96337-
>>>
>>> }
>>>
>>> ],
>>>
>>> Tried same tag on virtual-machine and its failing
>>>
>>> temp.uuid
>>>
>>> u'50244014-
>>>
>>>>>> vh.set_
>>>
>>> Traceback (most recent call last):
>>>
>>> File "<stdin>", line 1, in <module>
>>>
>>> File "/usr/lib/
>>> in set_tag
>>>
>>> return self.set_tags(obj, tags_dict)
>>>
>>> File "/usr/lib/
>>> in set_tags
>>>
>>> content = self._request_
>>>
>>> File "/usr/lib/
>>> _request_server
>>>
>>> retry_after_
>>>
>>> File "/usr/lib/
>>> in _request
>>>
>>> % (op, url, data, content))
>>>
>>> vnc_api.
>>> body {"tier": {"is_global": false, "value": "web"}, "obj_type":
>>> "virtual_machine", "obj_uuid": "50244014-
>>> response Not able to determine the scope of the tag 'tier=web'
>>>
>>> Testbed
>>>
>>> Nodei127(
>>>
>>> Thanks,
>>>
>>> Aswani Kumar
>>>
tags: | added: beta-blocker vcenter-only |
tags: | removed: beta-blocker |
tags: | added: contrail-security |
tags: | added: beta-blocker |
Edouard,
I’m not very clear on the discussion here but let me summarize my understating:
1. perm2.owner field is set in the API server when RBAC is enabled. And API server uses keystone credentials for the same.I’m hoping HTTP_X_PROJECT_ID request is used with reference to keystone request.
2. Since keystone equivalent is not supported in vCenter we don’t have RBAC support for vCenter ( same I hope for kubernetes, but will let someone from kubernetes team confirm it.)
3. Since perms2.owner is not set via vCenter plugin, it defaults to ‘cloud-admin’ since RBAC is not enabled and hence API server cannot use keystone to get the perm2.owner.
Given above understanding are you asking vCenter plugin to set the perm2.owner field for VM’s created? Is it possible to set it internally in the API server, instead of each plugin setting it?
Thanks,
Ram