Rename Network return 403 Error

Bug #1609467 reported by Zarrouk Mohamed on 2016-08-03
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
High
Zarrouk Mohamed

Bug Description

When renaming a network, Horizon sends all parameters of the network, even the ones we do not change:

curl -i https:/<neutron_endpoint>/v2.0/networks/<net_id>.json -X PUT -H "User-Agent: python-neutronclient" -H "X-Auth-Token: <token>" -d '{"network": {"shared": false, "name": "dfdf", "admin_state_up": true}}'

DEBUG: openstack_dashboard.api.neutron network_update 678: network_update(): netid=<net_id>, params={'shared': False, 'name': u'plouf', 'admin_state_up': True}
DEBUG: neutronclient.client http_log_req 185: REQ: curl -i https://network.fr1.cloudwatt.com/v2.0/networks/<net_id>.json -X PUT -H "User-Agent: python-neutronclient" -H "X-Auth-Token:<token_id>d" -d '{"network": {"shared": false, "name": "plouf", "admin_state_up": true}}'
DEBUG: neutronclient.client http_log_resp 194: RESP: 403 {'Content-Length': '130', 'Keep-Alive': 'timeout=5, max=100', 'Connection': 'Keep-Alive', 'Date': 'Tue, 02 Aug 2016 13:30:11 GMT', 'Access-Control-Allow-Origin': '*', 'Content-Type': 'application/json; charset=UTF-8', 'X-Openstack-Request-Id': 'req-8593fcfb-835c-4684-b068-068b5e14e4f2'} {"NeutronError": {"message": "Policy doesn't allow update_network to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}
DEBUG: neutronclient.v2_0.client _handle_fault_response 247: Error message: {"NeutronError": {"message": "Policy doesn't allow update_network to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}
INFO: openstack_dashboard.dashboards.project.networks.forms handle 71: Echec de mise à jour du réseau plouf
WARNING: horizon.exceptions handle_recoverable 255: Recoverable error: Policy doesn't allow update_network to be performed.
Neutron server returns request_ids: ['req-8593fcfb-835c-4684-b068-068b5e14e4f2']

curl -i https://network.fr1.cloudwatt.com/v2.0/networks/79564170-e563-4b82-b2ac-c5a5bbef3b98.json -X PUT -H "User-Agent: python-neutronclient" -H "X-Auth-Token: c5e5196e85994a468b41919d5fd74fa8" -d '{"network": {"name": "erertrtrtrtrt","admin_state_up": true}}'

The api refuses the "shared": false even if it does not change.

Fix proposed to branch: master
Review: https://review.openstack.org/350661

Changed in horizon:
assignee: nobody → Zarrouk Mohamed (zarrouk)
status: New → In Progress
Changed in horizon:
milestone: none → newton-3
Rob Cresswell (robcresswell) wrote :

I don't think this is a Horizon bug. The client seems to be sending a PUT, which should take the whole object. It seems perhaps that Neutron are doing a policy check on a value before checking whether that value should have changed. Either way, sending the whole object to a PUT request (as we do now) is in spec, I believe.

Changed in horizon:
milestone: newton-3 → next
Zarrouk Mohamed (zarrouk) wrote :

For the moment editing a network details is not possible via the console.
Neutron is for sure doing a policy check before verifying that the value hasn't change.
The patch is not fixing a horizon bug, it is a workaround to bypass a neutron one.

Changed in horizon:
milestone: next → newton-3
importance: Undecided → High

Reviewed: https://review.openstack.org/350661
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=28c443f4e320c4c35b650f0aedb1e6343c785be3
Submitter: Jenkins
Branch: master

commit 28c443f4e320c4c35b650f0aedb1e6343c785be3
Author: zarrouk <email address hidden>
Date: Wed Aug 3 17:43:14 2016 +0200

    Do not send shared param when not allowed.

    When a user changes the name of a network,
    neutron returns a 403 error.
    Even if the user only changes the name and doesn't
    change the shared state, Horizon send
    the shared data to neutron and neutron returns
     403 when the user doesn't have admin rights

    Change-Id: I52726b7215acb877f38069c95d190eb36399954f
    Closes-Bug: #1609467

Changed in horizon:
status: In Progress → Fix Released

This issue was fixed in the openstack/horizon 10.0.0.0b3 development milestone.

Reviewed: https://review.openstack.org/360976
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=3dea56b7155237ac1323f6dfc6d4cb13981157f6
Submitter: Jenkins
Branch: stable/mitaka

commit 3dea56b7155237ac1323f6dfc6d4cb13981157f6
Author: zarrouk <email address hidden>
Date: Wed Aug 3 17:43:14 2016 +0200

    Do not send shared param when not allowed.

    When a user changes the name of a network,
    neutron returns a 403 error.
    Even if the user only changes the name and doesn't
    change the shared state, Horizon send
    the shared data to neutron and neutron returns
     403 when the user doesn't have admin rights

    Change-Id: I52726b7215acb877f38069c95d190eb36399954f
    Closes-Bug: #1609467
    (cherry picked from commit 28c443f4e320c4c35b650f0aedb1e6343c785be3)

tags: added: in-stable-mitaka

This issue was fixed in the openstack/horizon 9.1.1 release.

Frode Nordahl (fnordahl) wrote :

This fix does not work without also refreshing openstack_dashboard/conf/neutron_policy.json

tags: added: sts

Change abandoned by Frode Nordahl (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/435407
Reason: This cherry-pick turned out to be too large for being accepted for back-port to stable/mitaka at this tage. Will follow-up with smaller more specific to the issue patch.

Reviewed: https://review.openstack.org/436916
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=875d5279063de891e2bc9be8f9b7fafd06b58a20
Submitter: Jenkins
Branch: stable/mitaka

commit 875d5279063de891e2bc9be8f9b7fafd06b58a20
Author: Frode Nordahl <email address hidden>
Date: Wed Feb 22 13:58:31 2017 +0100

    Add rule "update_network:shared" to neutron_policy.json

    This rule is referenced by networks panel and is required for
    enabling non-admin users to change the name of networks.

    This change has been committed to master in commit
    d599fdec599db99f3c8b73ffce18a140bae8e629

    That commit is too big for back-porting to stable/mitaka as-is,
    thus I am proposing this one-line commit to fix the issue at
    hand for stable/mitaka.

    Change-Id: I93ef6e09f37557dc2375d7672d2a247c776ec2bb
    Closes-Bug: #1609467

This issue was fixed in the openstack/horizon 9.1.2 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers