OpenStack Dashboard (Horizon)

Security Group Rule Wrong Project Id

Bug #1956091 reported by Mesut Muhammet Şahin
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
New
Undecided
Unassigned

Bug Description

Hello,

We create a role with `security_admin` name for our security team and we allow to add/delete security rules for projects. But our sec team could not delete some rules. When we investigate the issue, we saw some security group rules are created with wrong project_id. We detected how it can be possible. I write tested scenario;

1. Enter security group page for a project
2. Click `Add Rule` button
3. Then open a new browser tab and switch another project
4. Return to older `Add Rule` page then add new rule

Then when we controlled to security group rule's project id, we saw wrong project_id. So our security_admin role could not delete the rule. We have a 2 question.

1) Is there any buggy issues for wrong sg rule' project_id value when a new browser tab opened with another project.

# List projects with ids

(openstack-client) ➜ ~ openstack project list
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| f9300721d2ab44909a1aeba228bbb4db | ProjectA |
| 42c15a29b6c14e53b36b8eb16bfcc31d | ProjectB |
+----------------------------------+------------+

# Create sg for `ProjectA` project and see sg's project_id

(openstack-client) ➜ ~ openstack security group show my-sg-test
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2021-12-31T08:07:13Z |
| description | |
| id | 6f223ca4-4cd1-4445-a94b-93029c69a261 |
| name | my-sg-test |
| project_id | f9300721d2ab44909a1aeba228bbb4db |
| revision_number | 1 |
| rules | created_at='2021-12-31T08:50:51Z', description='custom rule', direction='ingress', ethertype='IPv4', id='395e5fd7-7df3-4d37-b321-7482e7f5c8c4', remote_ip_prefix='0.0.0.0/0', updated_at='2021-12-31T08:50:51Z' |
| | created_at='2021-12-31T08:45:27Z', direction='egress', ethertype='IPv4', id='b7040dd6-4416-45a7-9d59-c40c6d2948f9', updated_at='2021-12-31T08:45:27Z' |
| | created_at='2021-12-31T08:45:27Z', direction='egress', ethertype='IPv6', id='d4753ff6-66ef-4f9d-89cc-1ff1478d69fd', updated_at='2021-12-31T08:45:27Z' |
| stateful | True |
| tags | [] |
| updated_at | 2021-12-31T08:07:13Z |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+

# Create sg rule like explained scenario. Then check sg rule's project_id

(openstack-client) ➜ ~ openstack security group rule show 395e5fd7-7df3-4d37-b321-7482e7f5c8c4
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2021-12-31T08:50:51Z |
| description | custom rule |
| direction | ingress |
| ether_type | IPv4 |
| id | 395e5fd7-7df3-4d37-b321-7482e7f5c8c4 |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | 42c15a29b6c14e53b36b8eb16bfcc31d |
| protocol | None |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 6f223ca4-4cd1-4445-a94b-93029c69a261 |
| tags | [] |
| updated_at | 2021-12-31T08:50:51Z |
+-------------------------+--------------------------------------+

Security group's project_id and security group rule's project_id is not same.

When deleting rule over horizon, we see warning like Error: Unable to delete rule: ALLOW IPv4 from 0.0.0.0/0

When deleting rule over cli, we see these logs;

...
RESP BODY: {"security_group_rule": {"id": "395e5fd7-7df3-4d37-b321-7482e7f5c8c4", "tenant_id": "42c15a29b6c14e53b36b8eb16bfcc31d", "security_group_id": "6f223ca4-4cd1-4445-a94b-93029c69a261", "ethertype": "IPv4", "direction": "ingress", "protocol": null, "port_range_min": null, "port_range_max": null, "remote_ip_prefix": "0.0.0.0/0", "remote_group_id": null, "description": "custom rule", "created_at": "2021-12-31T08:50:51Z", "updated_at": "2021-12-31T08:50:51Z", "revision_number": 0, "project_id": "42c15a29b6c14e53b36b8eb16bfcc31d"}}
GET call to network for https://my.domain.com:9696/v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 used request id req-83b10a86-ddd5-4112-bff1-abf075d5a2d7
REQ: curl -g -i -X DELETE https://my.domain.com:9696/v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 -H "User-Agent: openstacksdk/0.55.0 keystoneauth1/4.3.1 python-requests/2.25.1 CPython/3.8.2" -H "X-Auth-Token: {SHA256}9dlgorpsjg8493de05897b25a12b0d07gksl5lrt8abe28ef8f582451ef71hjkf5"
https://my.domain.com:9696 "DELETE /v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 HTTP/1.1" 404 155
RESP: [404] content-length: 155 content-type: application/json date: Fri, 31 Dec 2021 08:52:14 GMT x-openstack-request-id: req-3ab4f5b0-836c-4b5e-b026-9c2a8898ffd2
RESP BODY: {"NeutronError": {"type": "SecurityGroupRuleNotFound", "message": "Security group rule 395e5fd7-7df3-4d37-b321-7482e7f5c8c4 does not exist", "detail": ""}}
DELETE call to network for https://my.domain.com:9696/v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 used request id req-3ab4f5b0-836c-4b5e-b026-9c2a8898ffd2
clean_up DeleteSecurityGroupRule:

2) We gave all sg permissions to `security_admin` role but why dont they delete sg rule? Is there any wrong or missing permissions? (We assgined to group with security_admin role in project permissions)

(horizon)[root@osp-test-controller-01 openstack-dashboard]# cat neutron_policy.yaml

"context_is_admin": "role:admin"
"admin_only": "rule:context_is_admin"
"security_admin": "role:security_admin"
"admin_or_security_admin": "rule:admin_only or rule:security_admin"
...
"create_security_group": "rule:admin_or_security_admin"
"get_security_group": "rule:admin_or_security_admin"
"update_security_group": "rule:admin_or_security_admin"
"delete_security_group": "rule:admin_or_security_admin"
"create_security_group_rule": "rule:admin_or_security_admin"
"get_security_group_rule": "rule:admin_or_security_admin"
"delete_security_group_rule": "rule:admin_or_security_admin"
...

Expected result
===============
New role members can delete the sg rule

Actual result
=============
New role members cant delete the sg rule

Environment
===========
 OpenStack Victoria Cluster installed via kolla-ansible to Ubuntu 20.04.2 LTS Hosts. (Kernel:5.4.0-90-generic)
 horizon version : 18.6.3.dev29
 Networking Type: Neutron with OpenVSwitch |"neutron-openvswitch-agent", "neutron-l3-agent" and "neutron-server" version is "17.2.2.dev46"

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.