Cinder

User with Reader role can create/delete/update a snapshot

Bug #2017108 reported by Evelina Shames
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
New
Medium
Brian Rosmaita

Bug Description

A user with a reader role can create, delete and update a snapshot while these operation should be forbidden for a reader role.

Create snapshot:
2023-04-17 10:19:13,615 90998 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_create_snapshot): 202 POST https://10.208.192.76/volume/v3/cb6665e5b6e141afb266133504c1ed5b/snapshots 0.259s
2023-04-17 10:19:13,616 90998 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"snapshot": {"volume_id": "982b7bce-419d-47fd-876b-02e8be21e4d6", "name": "tempest-ProjectReaderTests-Snapshot-116359214"}}
    Response - Headers: {'date': 'Mon, 17 Apr 2023 10:19:13 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-dfb07e79-39af-4656-8f37-e15fbf383457', 'content-length': '304', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-dfb07e79-39af-4656-8f37-e15fbf383457', 'connection': 'close', 'status': '202', 'content-location': 'https://10.208.192.76/volume/v3/cb6665e5b6e141afb266133504c1ed5b/snapshots'}
        Body: b'{"snapshot": {"id": "0d56ea47-37df-420a-8a71-0930f9eba018", "created_at": "2023-04-17T10:19:13.570095", "updated_at": null, "name": "tempest-ProjectReaderTests-Snapshot-116359214", "description": null, "volume_id": "982b7bce-419d-47fd-876b-02e8be21e4d6", "status": "creating", "size": 1, "metadata": {}}}'
2023-04-17 10:19:13,674 90998 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:_run_cleanups): 400 DELETE https://10.208.192.76/volume/v3/cb6665e5b6e141afb266133504c1ed5b/volumes/982b7bce-419d-47fd-876b-02e8be21e4d6 0.053s

Delete snapshot:
2023-04-17 10:19:17,309 90998 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_delete_snapshot): 202 DELETE https://
    10.208.192.76/volume/v3/cb6665e5b6e141afb266133504c1ed5b/snapshots/59c12c8a-c184-4474-b7a9-0506dc8a1750 0.049s
2023-04-17 10:19:17,310 90998 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: None
    Response - Headers: {'date': 'Mon, 17 Apr 2023 10:19:17 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-length': '0', 'content-type': 'text/html; charset=UTF-8', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-631fb3ee-d374-42b9-83ba-85051d2f6d9e', 'connection': 'close', 'status': '202', 'content-location': 'https://10.208.192.76/volume/v3/cb6665e5b6e141afb266133504c1ed5b/snapshots/59c12c8a-c184-4474-b7a9-0506dc8a1750'}
        Body: b''

Update snapshot:
2023-04-17 10:20:04,506 90998 INFO [tempest.lib.common.rest_client] Request (ProjectReaderTests:test_update_snapshot): 200 PUT ht
    tps://10.208.192.76/volume/v3/cb6665e5b6e141afb266133504c1ed5b/snapshots/a48fef56-4f6a-47a9-9589-27fc5d8ba833 0.047s
2023-04-17 10:20:04,507 90998 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"snapshot": {"description": "ProjectReaderTests-update_test"}}
    Response - Headers: {'date': 'Mon, 17 Apr 2023 10:20:04 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'content-type': 'application/json', 'x-compute-request-id': 'req-afa036a5-6264-4c36-b1de-955cb4ee3cc1', 'content-length': '361', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-afa036a5-6264-4c36-b1de-955cb4ee3cc1', 'connection': 'close', 'status': '200', 'content-location': 'https://10.208.192.76/volume/v3/cb6665e5b6e141afb266133504c1ed5b/snapshots/a48fef56-4f6a-47a9-9589-27fc5d8ba833'}
        Body: b'{"snapshot": {"id": "a48fef56-4f6a-47a9-9589-27fc5d8ba833", "created_at": "2023-04-17T10:20:02.000000", "updated_at": "2023-04-17T10:20:04.000000", "name": "tempest-VolumeV3RbacBaseTests-Snapshot-1274850386", "description": "ProjectReaderTests-update_test", "volume_id": "db10eaba-6823-425c-b31e-8ce9ba563d4c", "status": "available", "size": 1, "metadata": {}}}'

Update snapshot status:
2023-04-17 10:20:12,557 90998 INFO [tempest.lib.common.rest_client] Request (ProjectR
    eaderTests:test_update_snapshot_status): 202 POST https://10.208.192.76/volume/v3/cb6665e5b6e141afb266133504c1ed5b/snapshots/9e14efca-e903-4054-8a7b-5940bf0e8b48/action 0.056s
2023-04-17 10:20:12,558 90998 DEBUG [tempest.lib.common.rest_client] Request - Headers: {'Content-Type': 'application/json', 'Accept': 'application/json', 'X-Auth-Token': '<omitted>'}
        Body: {"os-reset_status": {"status": "error"}}
    Response - Headers: {'date': 'Mon, 17 Apr 2023 10:20:12 GMT', 'server': 'Apache/2.4.52 (Ubuntu)', 'x-compute-request-id': 'req-da5ecfb0-92d4-45d9-bb85-c6496f0aca44', 'content-length': '0', 'content-type': 'application/json', 'openstack-api-version': 'volume 3.0', 'vary': 'OpenStack-API-Version', 'x-openstack-request-id': 'req-da5ecfb0-92d4-45d9-bb85-c6496f0aca44', 'connection': 'close', 'status': '202', 'content-location': 'https://10.208.192.76/volume/v3/cb6665e5b6e141afb266133504c1ed5b/snapshots/9e14efca-e903-4054-8a7b-5940bf0e8b48/action'}
        Body: b''

These issues were found while adding snapshot tests for srbac:
https://review.opendev.org/c/openstack/cinder-tempest-plugin/+/872986

Tags: rbac
Sofia Enriquez (lsofia-enriquez)
tags: added: rbac
Changed in cinder:
importance: Undecided → High
Sofia Enriquez (lsofia-enriquez)
Changed in cinder:
assignee: nobody → Brian Rosmaita (brian-rosmaita)
importance: High → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.