OpenStack Dashboard (Horizon)

Rename Network return 403 Error

Bug #1609467 reported by Zarrouk Mohamed on 2016-08-03

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	High	Zarrouk Mohamed	OpenStack Dashboard (Horizon) newton-3 "n3"

Bug Description

When renaming a network, Horizon sends all parameters of the network, even the ones we do not change:

curl -i https:/<neutron_endpoint>/v2.0/networks/<net_id>.json -X PUT -H "User-Agent: python-neutronclient" -H "X-Auth-Token: <token>" -d '{"network": {"shared": false, "name": "dfdf", "admin_state_up": true}}'

DEBUG: openstack_dashboard.api.neutron network_update 678: network_update(): netid=<net_id>, params={'shared': False, 'name': u'plouf', 'admin_state_up': True}
DEBUG: neutronclient.client http_log_req 185: REQ: curl -i https://network.fr1.cloudwatt.com/v2.0/networks/<net_id>.json -X PUT -H "User-Agent: python-neutronclient" -H "X-Auth-Token:<token_id>d" -d '{"network": {"shared": false, "name": "plouf", "admin_state_up": true}}'
DEBUG: neutronclient.client http_log_resp 194: RESP: 403 {'Content-Length': '130', 'Keep-Alive': 'timeout=5, max=100', 'Connection': 'Keep-Alive', 'Date': 'Tue, 02 Aug 2016 13:30:11 GMT', 'Access-Control-Allow-Origin': '*', 'Content-Type': 'application/json; charset=UTF-8', 'X-Openstack-Request-Id': 'req-8593fcfb-835c-4684-b068-068b5e14e4f2'} {"NeutronError": {"message": "Policy doesn't allow update_network to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}
DEBUG: neutronclient.v2_0.client _handle_fault_response 247: Error message: {"NeutronError": {"message": "Policy doesn't allow update_network to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}
INFO: openstack_dashboard.dashboards.project.networks.forms handle 71: Echec de mise à jour du réseau plouf
WARNING: horizon.exceptions handle_recoverable 255: Recoverable error: Policy doesn't allow update_network to be performed.
Neutron server returns request_ids: ['req-8593fcfb-835c-4684-b068-068b5e14e4f2']

curl -i https://network.fr1.cloudwatt.com/v2.0/networks/79564170-e563-4b82-b2ac-c5a5bbef3b98.json -X PUT -H "User-Agent: python-neutronclient" -H "X-Auth-Token: c5e5196e85994a468b41919d5fd74fa8" -d '{"network": {"name": "erertrtrtrtrt","admin_state_up": true}}'

The api refuses the "shared": false even if it does not change.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-03: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/350661

Changed in horizon:
assignee:	nobody → Zarrouk Mohamed (zarrouk)
status:	New → In Progress

Rob Cresswell (robcresswell-deactivatedaccount) on 2016-08-05

Changed in horizon:
milestone:	none → newton-3

Revision history for this message

Rob Cresswell (robcresswell-deactivatedaccount) wrote on 2016-08-05:

I don't think this is a Horizon bug. The client seems to be sending a PUT, which should take the whole object. It seems perhaps that Neutron are doing a policy check on a value before checking whether that value should have changed. Either way, sending the whole object to a PUT request (as we do now) is in spec, I believe.

Changed in horizon:
milestone:	newton-3 → next

Revision history for this message

Zarrouk Mohamed (zarrouk) wrote on 2016-08-06:

For the moment editing a network details is not possible via the console.
Neutron is for sure doing a policy check before verifying that the value hasn't change.
The patch is not fixing a horizon bug, it is a workaround to bypass a neutron one.

Rob Cresswell (robcresswell-deactivatedaccount) on 2016-08-08

Changed in horizon:
milestone:	next → newton-3
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-09: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/350661
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=28c443f4e320c4c35b650f0aedb1e6343c785be3
Submitter: Jenkins
Branch: master

commit 28c443f4e320c4c35b650f0aedb1e6343c785be3
Author: zarrouk <email address hidden>
Date: Wed Aug 3 17:43:14 2016 +0200

Do not send shared param when not allowed.

    When a user changes the name of a network,
    neutron returns a 403 error.
    Even if the user only changes the name and doesn't
    change the shared state, Horizon send
    the shared data to neutron and neutron returns
     403 when the user doesn't have admin rights

Change-Id: I52726b7215acb877f38069c95d190eb36399954f
Closes-Bug: #1609467

Changed in horizon:
status:	In Progress → Fix Released

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-08-25: Fix included in openstack/horizon 10.0.0.0b3

This issue was fixed in the openstack/horizon 10.0.0.0b3 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-08-26: Fix proposed to horizon (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/360976

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-09-06: Fix merged to horizon (stable/mitaka)

Reviewed: https://review.openstack.org/360976
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=3dea56b7155237ac1323f6dfc6d4cb13981157f6
Submitter: Jenkins
Branch: stable/mitaka

commit 3dea56b7155237ac1323f6dfc6d4cb13981157f6
Author: zarrouk <email address hidden>
Date: Wed Aug 3 17:43:14 2016 +0200

Do not send shared param when not allowed.

    Change-Id: I52726b7215acb877f38069c95d190eb36399954f
    Closes-Bug: #1609467
    (cherry picked from commit 28c443f4e320c4c35b650f0aedb1e6343c785be3)

tags:

added: in-stable-mitaka

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-12: Fix included in openstack/horizon 9.1.1

This issue was fixed in the openstack/horizon 9.1.1 release.

Revision history for this message

Frode Nordahl (fnordahl) wrote on 2017-02-17:

This fix does not work without also refreshing openstack_dashboard/conf/neutron_policy.json

tags:

added: sts

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-17: Fix proposed to horizon (stable/mitaka)

#10

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/435407

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-22: Change abandoned on horizon (stable/mitaka)

#11

Change abandoned by Frode Nordahl (<email address hidden>) on branch: stable/mitaka
Review: https://review.openstack.org/435407
Reason: This cherry-pick turned out to be too large for being accepted for back-port to stable/mitaka at this tage. Will follow-up with smaller more specific to the issue patch.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-22: Fix proposed to horizon (stable/mitaka)

#12

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/436916

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-27: Fix merged to horizon (stable/mitaka)

#13

Reviewed: https://review.openstack.org/436916
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=875d5279063de891e2bc9be8f9b7fafd06b58a20
Submitter: Jenkins
Branch: stable/mitaka

commit 875d5279063de891e2bc9be8f9b7fafd06b58a20
Author: Frode Nordahl <email address hidden>
Date: Wed Feb 22 13:58:31 2017 +0100

Add rule "update_network:shared" to neutron_policy.json

This rule is referenced by networks panel and is required for
enabling non-admin users to change the name of networks.

This change has been committed to master in commit
d599fdec599db99f3c8b73ffce18a140bae8e629

    That commit is too big for back-porting to stable/mitaka as-is,
    thus I am proposing this one-line commit to fix the issue at
    hand for stable/mitaka.

Change-Id: I93ef6e09f37557dc2375d7672d2a247c776ec2bb
Closes-Bug: #1609467

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-10: Fix included in openstack/horizon 9.1.2

#14

This issue was fixed in the openstack/horizon 9.1.2 release.