Designate

X-Auth-Sudo-Tenant-ID header not work for create subdomains

Bug #1459554 reported by stanzgy
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Designate
Won't Fix
High
stanzgy

Bug Description

When we want to use X-Auth-Sudo-Tenant-ID to create subdomains for other tenants, it failed.

(admin) $ keystone tenant-list
+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| a5001da641e9404396b1ed8394ce2123 | admin | True |
| 7585151c61064976ac2bed6af9aeb891 | demo | True |
| 628a5e7bb9f643389c0d9274e5b1b299 | invisible_to_admin | True |
| e0713ea41012428abf4715b7cce83b4c | service | True |
+----------------------------------+--------------------+---------+

$ curl -g -X POST http://10.180.156.7:9001/v2/zones -H "Content-Type: application/json" -H "X-Auth-Token: *"-d '{"name": "a1.test.net.", "email":"<email address hidden>"}'
OK

$ curl -g -X POST http://10.180.156.7:9001/v2/zones -H "Content-Type: application/json" -H "X-Auth-Token: *" -H "X-Auth-Sudo-Tenant-ID: 7585151c61064976ac2bed6af9aeb891" -d '{"name": "a2.test.net.", "email":"<email address hidden>"}'

{"message": "Unable to create subdomain in another tenants domain", "code": 403, "type": "forbidden", "request_id": "req-fb8d7250-344f-40d3-b872-6cc37651a298"}
FAILED

$ designate domain-list
+--------------------------------------+--------------+------------+
| id | name | serial |
+--------------------------------------+--------------+------------+
| 63a09bfc-ad55-41fe-9d98-0373966ceb8e | test.net. | 1432799135 |
| fd3aff65-a79e-4d29-947d-682190c6da45 | a1.test.net. | 1432800388 |
+--------------------------------------+--------------+------------+

stanzgy (stanzgy)
summary: - X-Auth-Sudo-Tenant-ID header not work for subdomains
+ X-Auth-Sudo-Tenant-ID header not work for create subdomains
Revision history for this message
Graham Hayes (grahamhayes) wrote :

What does your policy.json file look like? and what tenants were the above requests make with?

seems to work fine for me:

    ➜ designate git:(master) ✗ http 127.0.0.1:9001/v2/zones name=subdomain.test-dup-8.com. email=g@g.com X-Auth-Project-ID:random X-Auth-User-ID:user X-Auth-Sudo-Tenant-ID:noauth-project -v
    POST /v2/zones HTTP/1.1
    Accept: application/json
    Accept-Encoding: gzip, deflate, compress
    Content-Length: 57
    Content-Type: application/json; charset=utf-8
    Host: 127.0.0.1:9001
    User-Agent: HTTPie/0.8.0
    X-Auth-Project-ID: random
    X-Auth-Sudo-Tenant-ID: noauth-project
    X-Auth-User-ID: user

    {
        "email": "g@g.com",
        "name": "subdomain.test-dup-8.com."
    }

    HTTP/1.1 202 Accepted
    Content-Length: 509
    Content-Type: application/json; charset=UTF-8
    Date: Thu, 28 May 2015 15:40:58 GMT
    Location: http://127.0.0.1:9001/v2/zones/7ef05ee8-b9f3-46d3-ba66-751561bfb1ff
    X-Openstack-Request-Id: req-71eac3ec-005d-4703-95fd-f458d071150d

    {
        "action": "CREATE",
        "created_at": "2015-05-28T15:40:58.000000",
        "description": null,
        "email": "g@g.com",
        "id": "7ef05ee8-b9f3-46d3-ba66-751561bfb1ff",
        "links": {
            "self": "http://127.0.0.1:9001/v2/zones/7ef05ee8-b9f3-46d3-ba66-751561bfb1ff"
        },
        "masters": [],
        "name": "subdomain.test-dup-8.com.",
        "pool_id": "794ccc2c-d751-44fe-b57f-8894c9f5c842",
        "project_id": "noauth-project",
        "serial": 1432827658,
        "status": "PENDING",
        "transferred_at": null,
        "ttl": 3600,
        "type": "PRIMARY",
        "updated_at": null,
        "version": 1
    }

Changed in designate:
status: New → Incomplete
assignee: nobody → stanzgy (stanzgy)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to designate (master)

Fix proposed to branch: master
Review: https://review.openstack.org/186648

Changed in designate:
status: Incomplete → In Progress
Revision history for this message
stanzgy (stanzgy) wrote :

hi Hayes, I'm using original etc/designate/policy.json without any modification. Could you please check that whether your parent domain and sub domain are defintely belongs to different tenant?

I checked create_domain() source code in central/service.py, it has hardcoded some checks that ensure parent and sub domains must share same tenant_id.

I proposed a WIP change below to allow creating sub-domains if X-Auth-Sudo-Tenant-ID header is set. However I saw there are also some codes handling superdomain/subdomain stuffs. I'm not sure whether this change will break designate data consistency. Could you give some reviews?

https://review.openstack.org/186648

Kiall Mac Innes (kiall)
Changed in designate:
milestone: none → liberty-1
importance: Undecided → High
Thierry Carrez (ttx)
Changed in designate:
milestone: liberty-1 → liberty-2
Kiall Mac Innes (kiall)
Changed in designate:
milestone: liberty-2 → liberty-3
Kiall Mac Innes (kiall)
Changed in designate:
milestone: liberty-3 → liberty-rc1
Kiall Mac Innes (kiall)
Changed in designate:
milestone: liberty-rc1 → none
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on designate (master)

Change abandoned by stanzgy (<email address hidden>) on branch: master
Review: https://review.openstack.org/186648

Revision history for this message
Graham Hayes (grahamhayes) wrote :

This should be handeled as part of the policy.json file .

x-auth-sudo is the same semantics as linux sudo.

Changed in designate:
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.