Designate

Zone transfer accept is forbidden for the non admin users

Bug #1627941 reported by Ashish Kumar Gupta on 2016-09-27

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Designate	New	Undecided	Graham Hayes

Bug Description

In the mitaka code base of the designate :
Source the creds for the non admin tenant/user.
stack@user1:~$ source u1.osrc
2. Make sure a zone is created and its status is active .
stack@user1:~$ openstack zone list
------------------------------------------------------------------------------+
id name type serial status action
------------------------------------------------------------------------------+
e499e4fb-4edf-4675-a3f7-52bcba91cb47 ashish.com. PRIMARY 1472201701 ACTIVE NONE
------------------------------------------------------------------------------+
3. Now make a transfer request for the zone.
stack@user1:~$ openstack zone transfer request create --target-project-id 86db2b6ddc454eca854cb9fb4c907f03 e499e4fb-4edf-4675-a3f7-52bcba91cb47
----------------------------------------------------------------------------------------------------------------------------------+
Field Value
----------------------------------------------------------------------------------------------------------------------------------+
created_at 2016-08-26T09:17:37.000000
description None
id 89c85d93-32ac-4ebf-b05e-d5a41a74589b
key THIBLWMH
links {u'self': u'https://172.168.1.199:9001/v2/zones/tasks/transfer_requests/89c85d93-32ac-4ebf-b05e-d5a41a74589b'}
project_id e665ee6336f14127bb027acdf6f2d0ca
status ACTIVE
target_project_id 86db2b6ddc454eca854cb9fb4c907f03
updated_at None
zone_id e499e4fb-4edf-4675-a3f7-52bcba91cb47
zone_name None
----------------------------------------------------------------------------------------------------------------------------------+
4. Try to accept the transfer request.
stack@user1:~$ openstack zone transfer accept request --transfer-id 89c85d93-32ac-4ebf-b05e-d5a41a74589b --key THIBLWMH
forbidden
stack@user1:~$ openstack --debug zone transfer accept request --transfer-id 89c85d93-32ac-4ebf-b05e-d5a41a74589b --key THIBLWMH
START with options: ['--debug', 'zone', 'transfer', 'accept', 'request', '--transfer-id', '89c85d93-32ac-4ebf-b05e-d5a41a74589b', '--key', 'THIBLWMH']
options: Namespace(access_token_endpoint='', auth_type='', auth_url='https://172.168.1.199:5000/v3', cacert='/etc/ssl/certs/ca-certificates.crt', client_id='', client_secret='**', cloud='', debug=True, default_domain='default', deferred_help=False, domain_id='', domain_name='', endpoint='', identity_provider='', insecure=None, interface='internal', log_file=None, os_compute_api_version='2', os_dns_api_version='2', os_identity_api_version='3', os_image_api_version='', os_network_api_version='', os_object_api_version='', os_project_id=None, os_project_name=None, os_volume_api_version='', password='*', project_domain_id='', project_domain_name='Default', project_id='', project_name='project1', protocol='', region_name='', scope='', timing=False, token='**', trust_id='', url='', user_domain_id='', user_domain_name='Default', user_id='', username='user1', verbose_level=3, verify=None)
defaults: {u'auth_type': 'password', u'compute_api_version': u'2', 'key': None, u'database_api_version': u'1.0', 'api_timeout': None, u'baremetal_api_version': u'1', u'image_api_version': u'2', 'cacert': None, u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', u'interface': None, u'network_api_version': u'2', u'image_format': u'qcow2', u'key_manager_api_version': u'v1', u'metering_api_version': u'2', 'verify': True, u'identity_api_version': u'2.0', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', u'container_api_version': u'1', u'dns_api_version': u'2', u'object_store_api_version': u'1', u'disable_vendor_agent': {}}
cloud cfg: {'auth_type': 'password', u'compute_api_version': '2', 'key': None, u'database_api_version': u'1.0', 'timing': False, u'network_api_version': u'2', u'image_format': u'qcow2', u'image_api_version': u'2', 'verify': True, u'dns_api_version': '2', u'object_store_api_version': u'1', 'verbose_level': 3, 'region_name': '', 'api_timeout': None, u'baremetal_api_version': u'1', 'auth':
{'username': 'user1', 'project_name': 'project1', 'user_domain_name': 'Default', 'auth_url': 'https://172.168.1.199:5000/v3', 'password': '***', 'project_domain_name': 'Default'}
, 'default_domain': 'default', u'container_api_version': u'1', u'image_api_use_tasks': False, u'floating_ip_source': u'neutron', u'orchestration_api_version': u'1', u'interface': 'internal', 'cacert': '/etc/ssl/certs/ca-certificates.crt', u'key_manager_api_version': u'v1', u'metering_api_version': u'2', 'deferred_help': False, u'identity_api_version': '3', u'volume_api_version': u'2', 'cert': None, u'secgroup_source': u'neutron', 'debug': True, u'disable_vendor_agent': {}}
compute API version 2, cmd group openstack.compute.v2
network API version 2, cmd group openstack.network.v2
image API version 2, cmd group openstack.image.v2
volume API version 2, cmd group openstack.volume.v2
identity API version 3, cmd group openstack.identity.v3
object_store API version 1, cmd group openstack.object_store.v1
dns API version 2, cmd group openstack.dns.v2
command: zone transfer accept request -> designateclient.v2.cli.zones.AcceptTransferRequestCommand
Auth plugin password selected
auth_type: password
Using auth plugin: password
Using parameters
{'username': 'user1', 'project_name': 'project1', 'auth_url': 'https://172.168.1.199:5000/v3', 'user_domain_name': 'Default', 'password': '***', 'project_domain_name': 'Default'}
Get auth_ref
REQ: curl -g -i --cacert "/etc/ssl/certs/ca-certificates.crt" -X GET https://172.168.1.199:5000/v3 -H "Accept: application/json" -H "User-Agent: python-openstackclient keystoneauth1/2.4.1 python-requests/2.9.1 CPython/2.7.9"
Starting new HTTPS connection (1): 172.168.1.199
"GET /v3 HTTP/1.1" 200 254
RESP: [200] Content-Length: 254 Vary: X-Auth-Token Server: Apache/2.4.10 (Debian) Date: Fri, 26 Aug 2016 09:18:29 GMT Content-Type: application/json x-openstack-request-id: req-79dc7d13-ce11-4319-8a33-f03ba100a0dd
RESP BODY: {"version": {"status": "stable", "updated": "2016-04-04T00:00:00Z", "media-types": [
{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}
], "id": "v3.6", "links": [
{"href": "https://172.168.1.199:5000/v3/", "rel": "self"}
]}}
Making authentication request to https://172.168.1.199:5000/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 10442
Making authentication request to https://172.168.1.199:5000/v3/auth/tokens
"POST /v3/auth/tokens HTTP/1.1" 201 10442
REQ: curl -g -i --cacert "/etc/ssl/certs/ca-certificates.crt" -X GET https://172.168.1.199:9001 -H "Accept: application/json" -H "User-Agent: python-openstackclient keystoneauth1/2.4.1 python-requests/2.9.1 CPython/2.7.9"
Starting new HTTPS connection (1): 172.168.1.199
"GET / HTTP/1.1" 200 445
RESP: [200] Date: Fri, 26 Aug 2016 09:18:30 GMT Content-Length: 445 Content-Type: application/json
RESP BODY: {
"versions": {
"values": [
{
"id": "v1",
"links": [
{ "href": "https://172.168.1.199:9001/v1", "rel": "self" }
],
"status": "DEPRECATED"
},
{
"id": "v2",
"links": [
{ "href": "https://172.168.1.199:9001/v2", "rel": "self" }
],
"status": "CURRENT"
}
]
}
}
REQ: curl -g -i --cacert "/etc/ssl/certs/ca-certificates.crt" -X POST https://172.168.1.199:9001/v2/zones/tasks/transfer_accepts -H "User-Agent: python-designateclient-2.1.1" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token:
{SHA1}
185078af4680b9329f855b47e9d697aa67ee138f" -d '
{"zone_transfer_request_id": "89c85d93-32ac-4ebf-b05e-d5a41a74589b", "key": "THIBLWMH"}
'
"POST /v2/zones/tasks/transfer_accepts HTTP/1.1" 403 92
RESP: [403] Date: Fri, 26 Aug 2016 09:18:30 GMT Content-Length: 92 Content-Type: application/json X-Openstack-Request-Id: req-110497e3-1814-4db6-ab6a-2133e453ff8a
RESP BODY:
{"code": 403, "type": "forbidden", "request_id": "req-110497e3-1814-4db6-ab6a-2133e453ff8a"}
forbidden
Traceback (most recent call last):
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/cliff/app.py", line 346, in run_subcommand
result = cmd.run(parsed_args)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/cliff/display.py", line 79, in run
column_names, data = self.take_action(parsed_args)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/designateclient/v2/cli/zones.py", line 402, in take_action
parsed_args.transfer_id, parsed_args.key)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/designateclient/v2/zones.py", line 122, in accept_request
return self._post(url, data=data)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/designateclient/client.py", line 53, in _post
resp, body = self.client.session.post(url, **kwargs)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/keystoneclient/adapter.py", line 182, in post
return self.request(url, 'POST', **kwargs)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/designateclient/v2/client.py", line 62, in request
raise exceptions.Forbidden(**response_payload)
Forbidden: forbidden
clean_up AcceptTransferRequestCommand: forbidden
Traceback (most recent call last):
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/openstackclient/shell.py", line 118, in run
ret_val = super(OpenStackShell, self).run(argv)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/cliff/app.py", line 226, in run
result = self.run_subcommand(remainder)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/openstackclient/shell.py", line 153, in run_subcommand
ret_value = super(OpenStackShell, self).run_subcommand(argv)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/cliff/app.py", line 346, in run_subcommand
result = cmd.run(parsed_args)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/cliff/display.py", line 79, in run
column_names, data = self.take_action(parsed_args)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/designateclient/v2/cli/zones.py", line 402, in take_action
parsed_args.transfer_id, parsed_args.key)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/designateclient/v2/zones.py", line 122, in accept_request
return self._post(url, data=data)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/designateclient/client.py", line 53, in _post
resp, body = self.client.session.post(url, **kwargs)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/keystoneclient/adapter.py", line 182, in post
return self.request(url, 'POST', **kwargs)
File "/opt/stack/venv/openstackclient-20160823T002102Z/lib/python2.7/site-packages/designateclient/v2/client.py", line 62, in request
raise exceptions.Forbidden(**response_payload)
Forbidden: forbidden
END return value: 1
stack@user1:~$
Actual : Non admin tenant/user is not able to accept the transfer request for the zone.
Expected : According the specification http://docs.openstack.org/developer/python-designateclient/shell-v2.html non admin user should accept the transfer request.

Revision history for this message

Graham Hayes (grahamhayes) wrote on 2016-09-28:

This looks like the project in the environment was not changed to the project specified as the "target-project-id"

Can you confirm you changed projects?

Tim Simmons (timsim) on 2016-09-28

Changed in designate:
assignee:	nobody → Graham Hayes (grahamhayes)

Revision history for this message

Ashish Kumar Gupta (ashish-kumar-gupta) wrote on 2016-10-03:

Download full text (5.8 KiB)

@Graham Hayes (grahamhayes)  :
source admin
openstack project list
+----------------------------------+--------------+
| ID                               | Name         |
+----------------------------------+--------------+
| 033e0ba037f248d780788181152e3372 | admin        |
| 4b8376e752a64620a3ae19a17c8270e3 | tenant1      |
| 4e7a7e1167064e14ae379d3c7b5664cc | demo         |
| f23e0a6f72c94308acd4f22f49bfae0e | tenant2      |
+----------------------------------+--------------+
using tenant1 creds :
source tenant1.creds
stack@user1:~$ openstack zone show t1.com.
+----------------+--------------------------------------+
| Field          | Value                                |
+----------------+--------------------------------------+
| action         | NONE                                 |
| attributes     | {}                                   |
| created_at     | 2016-10-03T06:29:14.000000           |
| description    | None                                 |
| email          | t@t1.com                             |
| id             | 1ad8c8c9-bcb3-4fc9-a4ed-27c773232964 |
| masters        |                                      |
| name           | t1.com.                              |
| pool_id        | 794ccc2c-d751-44fe-b57f-8894c9f5c842 |
| project_id     | 4b8376e752a64620a3ae19a17c8270e3     |
| serial         | 1475476154                           |
| status         | ACTIVE                               |
| transferred_at | None                                 |
| ttl            | 3600                                 |
| type           | PRIMARY                              |
| updated_at     | 2016-10-03T06:29:34.000000           |
| version        | 2                                    |
+----------------+--------------------------------------+

stack@user1:~$ openstack zone transfer request create --target-project-id f23e0a6f72c94308acd4f22f49bfae0e 1ad8c8c9-bcb3-4fc9-a4ed-27c773232964
+-------------------+--------------------------------------------------------------------------------------------------------------+
| Field             | Value                                                                                                        |
+-------------------+--------------------------------------------------------------------------------------------------------------+
| created_at        | 2016-10-03T06:31:35.000000                                                                                   |
| description       | None                                                                                                         |
| id                | ac4817d5-0474-435e-8b17-bc8820a6b250                                                                         |
| key               | 6UQGDYHT                                                                                                     |
| links             | {u'self': u'https://172.168.90.5:9001/v2/zones/tasks/transfer_requests/ac4817d5-0474-435e-8b17-bc8820a6b250'} |
| project_id        | 4b8376e752a64620a3ae19a17c8270e3                                                                             |
| status            | ACTIVE                                                                                                       |
| target_project_id | f23e0a6f72c94308acd4f22f49bfae0e                                                                             |
| updated_at        | None                                                                                                         |
| zone_id           | 1ad8c8c9-bcb3-4fc9-a4ed-27c773232964                                                                         |
| zone_name         | None                                                                                                         |
+-------------------+--------------------------------------------------------------------------------------------------------------+
stack@user1:~$ openstack zone transfer request list
forbidden
stack@user1:~$ openstack zone transfer accept request --transfer-id ac4817d5-0474-435e-8b17-bc8820a6b250 --key 6UQGDYHT

forbidden

Please let me know if anything missing.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.