neutron

Remove network flavor profile fails

Bug #1843290 reported by Hemachandra Reddy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Akihiro Motoki

Bug Description

Removing a network flavor profile for non-admin roles through API fails with "Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found."

Command: http://10.0.2.15:9696/v2.0/flavors/d3882929-3964-4f65-8c8f-c2f56376c4c9/service_profiles/0030208f-6d54-40c0-81fd-e79d470353bd

Expected output: Should fail with 403

Actual output: {"NeutronError": {"message": "Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.", "type": "PolicyCheckError", "detail": ""}}

Version: tried with Train release.

It currently fail the Zuul job for Patrole: https://review.opendev.org/#/c/678260/.

It does not fail when tried with openstack CLI as it fails much before when it tries to get service profile details which member does not have access to.

Nate Johnston (nate-johnston)
Changed in neutron:
importance: Undecided → High
Slawek Kaplonski (slaweq)
tags: added: gate-failure
Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

these are the failure log
- https://5c83f66e9560507eb64b-bd7468b472e2862cc284264a27887440.ssl.cf5.rackcdn.com/678260/5/check/patrole-extension-member/902865b/testr_results.html.gz

it fails the patrol tests
- https://github.com/openstack/patrole/blob/fe4e5fd7b5ee9a511d95e88fd124b710dcc341ba/patrole_tempest_plugin/tests/api/network/test_flavor_service_profile_rbac.py#L67

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Thx Ghanshyam for help. I can reproduce this issue locally now so I will debug and try to propose fix for it ASAP.

Changed in neutron:
assignee: nobody → Slawek Kaplonski (slaweq)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/682391

Changed in neutron:
status: New → In Progress
Revision history for this message
Akihiro Motoki (amotoki) wrote :

I made a basic test for non-admin role but it works as expected.
This is my test result http://paste.openstack.org/show/779150/
L.257-280 tried to disassociate a service profile from a network flavor and 403 is returned as expected.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

How can we reproduce the same situation without patrole?

Revision history for this message
Hemachandra Reddy (hr858f) wrote :

This can be reproduced using https://docs.openstack.org/api-ref/network/v2/#disassociate-a-flavor with a non-admin role.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Hemachandra, but as commented above in #4, L.257-L.280 in http://paste.openstack.org/show/779150/ uses non-admin role, but the operation succeeded. There seems another requirement to reproduce this...

I am preparing a fresh VM to run patrole using the gate local.conf. This looks like the only way to reproduce it right now.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

@Akihiro: I reproduced this issue by installing fresh devstack with patrole devstack plugin enabled.
Than I had to edit /opt/stack/tempest/etc/tempest.conf file and set:

[patrole]
rbac_test_roles = member

And then, running test like:

tempest run --regex patrole_tempest_plugin.tests.api.network.test_flavor_service_profile_rbac.FlavorsServiceProfileExtRbacTest.test_delete_flavor_service_profile

failed with exactly same error like described in this bug.
So I started debuging this issue and I found that it is failing to enforce policy on match rule:

{'kind': 'rule', 'match': 'get_flavor_service_profile'}

Also, I was looking into e.g. rocky branch, where old policy.json file exists and we have such action defined there.

Revision history for this message
Slawek Kaplonski (slaweq) wrote :

I debug it a bit more and I know why it's failing like that.

So delete_flavor_service_profile call is going to https://github.com/openstack/neutron/blob/8b50a36341daf16c5d2c01546f6ca264fc83f7aa/neutron/api/v2/base.py#L579 and here it is forbidden for regular user so we are going to this except path: https://github.com/openstack/neutron/blob/8b50a36341daf16c5d2c01546f6ca264fc83f7aa/neutron/api/v2/base.py#L583

And here before raising exception, ability to SHOW command is checked: https://github.com/openstack/neutron/blob/8b50a36341daf16c5d2c01546f6ca264fc83f7aa/neutron/api/v2/base.py#L588

But as we don't have it defined in policy, it's failing.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

I finally got the reason why this happens. We don't have an explicit policy for "get_flavor_service_profile" and "default" rule is used as a fallback policy. The "default" policy refers to "tenant_id" to check an ownership and it triggers the error. The service profile resource has no tenant_id information, so the "default" policy cannot be used as a fallback. Thus, we need an explicit policy for "get_flavor_service_profile" policy.

OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: Slawek Kaplonski (slaweq) → Akihiro Motoki (amotoki)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/682391
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ac0a426017e92d5d73e97c26ef18a888e02da104
Submitter: Zuul
Branch: master

commit ac0a426017e92d5d73e97c26ef18a888e02da104
Author: Slawek Kaplonski <email address hidden>
Date: Mon Sep 16 17:33:03 2019 +0200

    Add policy config for get_flavor_service_profile operation

    Policy for this API call was commented out but it is needed
    for DELETE flavor_service_profile operation as Neutron's policy
    module looks for ability for SHOW command when DELETE is rejected
    to ensure what error message should be returned to the user.

    This patch will fix Patrole test failure, see related bug description
    for details.

    Change-Id: I4a0e97845a40888f7f2c7267d9adb7be663ee380
    Closes-Bug: #1843290

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/688256

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/688257

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/train)

Reviewed: https://review.opendev.org/688256
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=aa0fe1dda846cd83d13cf467648e5d27ffd8d257
Submitter: Zuul
Branch: stable/train

commit aa0fe1dda846cd83d13cf467648e5d27ffd8d257
Author: Slawek Kaplonski <email address hidden>
Date: Mon Sep 16 17:33:03 2019 +0200

    Add policy config for get_flavor_service_profile operation

    Policy for this API call was commented out but it is needed
    for DELETE flavor_service_profile operation as Neutron's policy
    module looks for ability for SHOW command when DELETE is rejected
    to ensure what error message should be returned to the user.

    This patch will fix Patrole test failure, see related bug description
    for details.

    Change-Id: I4a0e97845a40888f7f2c7267d9adb7be663ee380
    Closes-Bug: #1843290
    (cherry picked from commit ac0a426017e92d5d73e97c26ef18a888e02da104)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/stein)

Reviewed: https://review.opendev.org/688257
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=472be5cb143af9c62c5b678e96ff5a8820f23438
Submitter: Zuul
Branch: stable/stein

commit 472be5cb143af9c62c5b678e96ff5a8820f23438
Author: Slawek Kaplonski <email address hidden>
Date: Mon Sep 16 17:33:03 2019 +0200

    Add policy config for get_flavor_service_profile operation

    Policy for this API call was commented out but it is needed
    for DELETE flavor_service_profile operation as Neutron's policy
    module looks for ability for SHOW command when DELETE is rejected
    to ensure what error message should be returned to the user.

    This patch will fix Patrole test failure, see related bug description
    for details.

    Change-Id: I4a0e97845a40888f7f2c7267d9adb7be663ee380
    Closes-Bug: #1843290
    (cherry picked from commit ac0a426017e92d5d73e97c26ef18a888e02da104)

tags: added: in-stable-stein
Bernard Cafarelli (bcafarel)
tags: added: neutron-proactive-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 14.0.4

This issue was fixed in the openstack/neutron 14.0.4 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 15.0.1

This issue was fixed in the openstack/neutron 15.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 16.0.0.0b1

This issue was fixed in the openstack/neutron 16.0.0.0b1 development milestone.

Slawek Kaplonski (slaweq)
tags: removed: neutron neutron-proactive-backport-potential
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.