Cinder

[rbac] Reader user able to delete a user message

Bug #2009818 reported by Yosi Ben Shimon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
New
Medium
Tushar Trambak Gite

Bug Description

User with reader creds can delete user message.
The expected response code is 403 (forbidden) but the actual response is 204.

Steps to repoduce:
1. Create a volume in such way that will result in a volume in "error" state.
For exmaple, invalid extra_specs in volume type
2. Try to delete the user_message using a reader user

Tags: rbac
Eric Harney (eharney)
tags: added: rbac
Sofia Enriquez (lsofia-enriquez)
Changed in cinder:
importance: Undecided → Medium
Revision history for this message
Tushar Trambak Gite (tushargite96) wrote :

i would like work on this bug.

Changed in cinder:
assignee: nobody → Tushar Trambak Gite (tushargite96)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/cinder/+/880434

Changed in cinder:
status: New → In Progress
Revision history for this message
Eric Harney (eharney) wrote :

I tried this and wasn't able to reproduce it:
deployed devstack w/ srbac enabled

$ source ~/devstack/openrc admin admin
$ cinder type-create badtype
$ cinder type-key 643b5c9e-eafa-4a1c-9d8d-8d91246dbfa7 set asdf=qwert
$ source ~/devstack/openrc demo demo
$ cinder create 1 --volume-type 643b5c9e-eafa-4a1c-9d8d-8d91246dbfa7
$ cinder message-list
$ source ~/devstack/openrc demo_reader demo
$ cinder message-delete aae9ce95-bd35-4fcb-97bf-6a44774d6090
Delete for message aae9ce95-bd35-4fcb-97bf-6a44774d6090 failed: Policy doesn't allow message:delete to be performed. (HTTP 403) (Request-ID: req-e7c90bbd-7ae6-4a8f-a4a5-88df0d95fdf2)
ERROR: Unable to delete any of the specified messages.

Revision history for this message
Yosi Ben Shimon (ybenshim) wrote :

Tested again on 17.1.0 and all tests went fine. Could be an environmental issue.
This BZ can be closed for now.

Eric Harney (eharney)
Changed in cinder:
status: In Progress → Invalid
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on cinder (master)

Change abandoned by "Eric Harney <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/cinder/+/880434
Reason: It isn't clear that this is actually a bug -- if you think it is, please restore the patch or add comments on the bug.

Revision history for this message
Yosi Ben Shimon (ybenshim) wrote :

Reopened this BZ as it still reproduces.
The test is https://github.com/openstack/cinder-tempest-plugin/blob/master/cinder_tempest_plugin/rbac/v3/test_user_messages.py#L125

Traceback (most recent call last):
  File "/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/cinder_tempest_plugin/rbac/v3/test_user_messages.py", line 125, in test_delete_message
    self._delete_message(expected_status=exceptions.Forbidden)
  File "/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/cinder_tempest_plugin/rbac/v3/test_user_messages.py", line 95, in _delete_message
    self.do_request(
  File "/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/cinder_tempest_plugin/rbac/v3/base.py", line 81, in do_request
    self.assertRaises(expected_status,
  File "/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/testtools/testcase.py", line 468, in assertRaises
    self.assertThat(our_callable, matcher)
  File "/opt/stack/tempest/.tox/tempest/lib/python3.10/site-packages/testtools/testcase.py", line 481, in assertThat
    raise mismatch_error
testtools.matchers._impl.MismatchError: <bound method MessagesClient.delete_message of <tempest.lib.services.volume.v3.messages_client.MessagesClient object at 0x7f97ceac68f0>> returned {}

Revision history for this message
Yosi Ben Shimon (ybenshim) wrote :

Reopened this BZ as it still reproduces

Changed in cinder:
status: Invalid → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.