OpenStack Dashboard (Horizon)

Forbidden: Policy doesn't allow compute:get_all_tenants to be performed. (HTTP 403)

Bug #1413426 reported by Kieran Spear on 2015-01-22

This bug affects 8 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Invalid	Undecided	Unassigned

Bug Description

Horizon is making requests to admin-only APIs in the project dashboard:

Error while checking action permissions.
Traceback (most recent call last):
  File "/home/kspear/openstack/horizon/horizon/tables/base.py", line 1260, in _filter_action
    return action._allowed(request, datum) and row_matched
  File "/home/kspear/openstack/horizon/horizon/tables/actions.py", line 137, in _allowed
    return self.allowed(request, datum)
  File "/home/kspear/openstack/horizon/openstack_dashboard/dashboards/project/access_and_security/floating_ips/tables.py", line 52, in allowed
    usages = quotas.tenant_quota_usages(request)
  File "/home/kspear/openstack/horizon/horizon/utils/memoized.py", line 90, in wrapped
    value = cache[key] = func(*args, **kwargs)
  File "/home/kspear/openstack/horizon/openstack_dashboard/usage/quotas.py", line 353, in tenant_quota_usages
    _get_tenant_compute_usages(request, usages, disabled_quotas, tenant_id)
  File "/home/kspear/openstack/horizon/openstack_dashboard/usage/quotas.py", line 258, in _get_tenant_compute_usages
    request, search_opts={'tenant_id': tenant_id}, all_tenants=True)
  File "/home/kspear/openstack/horizon/openstack_dashboard/api/nova.py", line 580, in server_list
    for s in c.servers.list(True, search_opts)]
  File "/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/v1_1/servers.py", line 603, in list
    return self._list("/servers%s%s" % (detail, query_string), "servers")
  File "/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/base.py", line 67, in _list
    _resp, body = self.api.client.get(url)
  File "/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py", line 487, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py", line 465, in _cs_request
    resp, body = self._time_request(url, method, **kwargs)
  File "/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py", line 439, in _time_request
    resp, body = self.request(url, method, **kwargs)
  File "/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py", line 433, in request
    raise exceptions.from_response(resp, body, url, method)
Forbidden: Policy doesn't allow compute:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-8c0549aa-4a3e-4c07-8911-a35196be0a13)

Looks like this commit is the culprit:

commit f5b77f9a145337c22cf29d8017f5df67a6bacb7c
Author: eric <email address hidden>
Date: Sun Nov 30 07:03:20 2014 -0700

Quotas for users with admin role do not work

    The quotas code does not isloate counts to resources within the
    current tenant/project. So if a user with the admin role makes
    calls for quota items, the admin role will have counts of a global
    list of resources. This changes that for the tenant quota call
    to fallback to the request.user.project_id if no project was
    otherwise specified for the tenant quota api call.

Change-Id: Ib0e6ce7774c4c03686a044f233dbb9aa36dbe1b9
Closes-bug: #1391242

Revision history for this message

Jesse Keating (jesse-keating) wrote on 2016-05-19:

We're experiencing this as well.

More interestingly, horizon code seems to be doing a policy check for "compute:get_all_tenants", however (our) Nova's policy rejection is on "os_compute_api:servers:detail:get_all_tenants".

That seems like local copy of nova policy file would allow it, but then the nova client hitting nova API policy would reject it.

Revision history for this message

Jesse Keating (jesse-keating) wrote on 2016-05-19:

Turns out we had some mismatched policy between the policy lines for v2 and v2.1.

It's still interesting that Horizon ONLY checks the legacy v2 policy entry, and not the v2.1 policy line which in our case was ultimately used by Nova.

Sudheer Kalla (sudheer-kalla) on 2016-11-30

Changed in horizon:
status:	New → Confirmed

Revision history for this message

Sudheer Kalla (sudheer-kalla) wrote on 2016-12-12:

Hello All,

I think this bug has been resolved by the commit https://review.openstack.org/#/c/358790/

Which is a commit to solve the bug https://bugs.launchpad.net/horizon/+bug/1610693

Revision history for this message

Gary W. Smith (gary-w-smith) wrote on 2017-09-14:

This bug was last updated nearly a years ago, and the comments
suggest that this has been addressed, so this is getting marked
as Invalid. If the issue still exists, please feel free to
reopen it.

Changed in horizon:
status:	Confirmed → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.