RBAC rules 'context_is_project' and 'context_is_owner' ain't working

Bug #1504495 reported by Yurii Prokulevych on 2015-10-09
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Aodh
Fix Released
Undecided
Mehdi Abaakouk
Ceilometer
Fix Released
Undecided
Lianhao Lu

Bug Description

Changing "telemetry:events:index" target to use 'rule:context_is_owner' or 'rule:context_is_project' fails with 403 Error.
ceilometer event-list --no-traits
RBAC Authorization Failed (HTTP 403) (Request-ID: req-24209cdf-9b43-447d-a32a-27a3059435a7)

This is RDO Liberty setup.

Packages:
openstack-ceilometer-central-5.0.0.0b4-dev123.el7.centos.noarch
openstack-ceilometer-polling-5.0.0.0b4-dev123.el7.centos.noarch
python-ceilometer-5.0.0.0b4-dev123.el7.centos.noarch
openstack-ceilometer-alarm-5.0.0.0b4-dev123.el7.centos.noarch
openstack-ceilometer-common-5.0.0.0b4-dev123.el7.centos.noarch
openstack-ceilometer-api-5.0.0.0b4-dev123.el7.centos.noarch
openstack-ceilometer-notification-5.0.0.0b4-dev123.el7.centos.noarch
openstack-ceilometer-collector-5.0.0.0b4-dev123.el7.centos.noarch
openstack-ceilometer-compute-5.0.0.0b4-dev123.el7.centos.noarch
python-ceilometerclient-1.5.1-dev1.el7.centos.noarch

Thanks,
Yurii

gordon chung (chungg) on 2015-10-13
Changed in ceilometer:
status: New → Triaged
Changed in ceilometer:
assignee: nobody → gordon chung (chungg)
status: Triaged → In Progress
ZhiQiang Fan (aji-zqfan) on 2015-11-25
Changed in aodh:
assignee: nobody → gordon chung (chungg)
Changed in aodh:
assignee: gordon chung (chungg) → Mehdi Abaakouk (sileht)
status: New → In Progress

Change abandoned by Mehdi Abaakouk (sileht) (<email address hidden>) on branch: master
Review: https://review.openstack.org/257466

Reviewed: https://review.openstack.org/254078
Committed: https://git.openstack.org/cgit/openstack/aodh/commit/?id=dde97121526973448c4fb420da838acc4b387af3
Submitter: Jenkins
Branch: master

commit dde97121526973448c4fb420da838acc4b387af3
Author: Mehdi Abaakouk <email address hidden>
Date: Mon Dec 7 09:52:57 2015 +0100

    Fix rbac system

    After investigation of the heat breakage, after
    we update the policy.json. We discover
    that the rbac have never worked as expected.
    The only rule that works is role == admin. All other
    just can't works.

    So the policy file have been changed to, By default project
    owner of the alarm should be able to change their alarms.
    And anyone can create a new alarm.

    Also the alarm definition is now passed to the policy enforcer
    to allow it checks owner of the alarms.

    Closes-bug: #1504495
    Change-Id: I408d839eec84af46adb333a6ad5c49c890513fd0

Changed in aodh:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/264103
Committed: https://git.openstack.org/cgit/openstack/aodh/commit/?id=5f01d9108d12475b67bede918e9a88bfd464d155
Submitter: Jenkins
Branch: stable/liberty

commit 5f01d9108d12475b67bede918e9a88bfd464d155
Author: Mehdi Abaakouk <email address hidden>
Date: Wed Nov 25 10:01:06 2015 +0100

    Update policy.json.sample with correct values

    Related-bug: #1504495

    The conflicts is just a useless additional import.

    Conflicts:
     aodh/tests/functional/gabbi/fixtures.py

    Change-Id: I8de76d9229fc5e5b3dd74a11067258ea9cc4616b
    (cherry picked from commit 8e3a6467bb9809079e5f6c596ce1a3746eb4ff39)

tags: added: in-stable-liberty

Reviewed: https://review.openstack.org/260478
Committed: https://git.openstack.org/cgit/openstack/aodh/commit/?id=410d8da15d6c6f14e86cd8eac21f696a1ef5fa86
Submitter: Jenkins
Branch: stable/liberty

commit 410d8da15d6c6f14e86cd8eac21f696a1ef5fa86
Author: Mehdi Abaakouk <email address hidden>
Date: Mon Dec 7 09:52:57 2015 +0100

    Fix rbac system

    After investigation of the heat breakage, after
    we update the policy.json. We discover
    that the rbac have never worked as expected.
    The only rule that works is role == admin. All other
    just can't works.

    So the policy file have been changed to, By default project
    owner of the alarm should be able to change their alarms.
    And anyone can create a new alarm.

    Also the alarm definition is now passed to the policy enforcer
    to allow it checks owner of the alarms.

    Closes-bug: #1504495

    Conflicts:
     aodh/tests/functional/gabbi/fixtures.py

    The conflict is an useless additional import.

    Change-Id: I408d839eec84af46adb333a6ad5c49c890513fd0
    (cherry picked from commit dde97121526973448c4fb420da838acc4b387af3)

Reviewed: https://review.openstack.org/260479
Committed: https://git.openstack.org/cgit/openstack/aodh/commit/?id=3a05a1df615e0ae8ce0461dbcabcb763ebbe32bc
Submitter: Jenkins
Branch: stable/liberty

commit 3a05a1df615e0ae8ce0461dbcabcb763ebbe32bc
Author: Mehdi Abaakouk <email address hidden>
Date: Mon Dec 14 14:54:42 2015 +0100

    rbac: add some backport compat tests

    The old rbac wasn't really works only the segregration was applied.
    Even it's fixed now the legacy policy.json should continue to works.

    Related-bug: #1504495

    Conflicts:
     aodh/tests/functional/api/v2/test_alarm_scenarios.py

    Change-Id: I050b2245d78780cb49b47b317a1a245b8e0a58eb
    (cherry picked from commit 4101ab5d9f423c7a5ecdd1a090919db2bf174886)

Changed in ceilometer:
assignee: gordon chung (chungg) → Lianhao Lu (lianhao-lu)

Reviewed: https://review.openstack.org/234823
Committed: https://git.openstack.org/cgit/openstack/ceilometer/commit/?id=f63470e0e257fa59ac9419e616cac17cf6e75510
Submitter: Jenkins
Branch: master

commit f63470e0e257fa59ac9419e616cac17cf6e75510
Author: gordon chung <email address hidden>
Date: Wed Oct 14 10:49:40 2015 -0400

    Fix events rbac

    Rbac context is limited not by policy but is inherently built in
    as we cannot enforce policy on a list.

    This patch drops the dummy policy, the invalid context_is_project
    and context_is_admin policies, and ensures policy rbac can restrict
    on admin appropriately.

    Closes-Bug: #1504495
    Change-Id: Id3b1ad71aea46456c6e6c1995776b988017d4786

Changed in ceilometer:
status: In Progress → Fix Released

This issue was fixed in the openstack/ceilometer 6.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers