Juniper Openstack

[2.1-Build 40] Need to mask a data of REST API by each project

Bug #1439485 reported by Daisuke Nakajima
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Incomplete
Medium
Hampapur Ajay

Bug Description

When a client gets Contrail data by Rest API, all of data can be seen and modified.
The data should be mask by each tenant.

For instance; apicheck user can get a network of demo user.

The credential:
{"auth":{"passwordCredentials":{"username": "apicheck", "password": "juniper123"},"tenantName": "apicheck"}}

http://172.27.113.85:8082/virtual-network/4eb4151f-07d1-4db6-a8cb-7c820a08158e
{
    "virtual-network": {
        "display_name": "VN2",
        "fq_name": [
            "default-domain",
            "demo",
            "VN2"
        ],
        "href": "http://172.27.113.85:8082/virtual-network/4eb4151f-07d1-4db6-a8cb-7c820a08158e",
        "id_perms": {
            "created": "2015-03-26T01:24:44.410360",
            "creator": null,
            "description": null,
            "enable": true,
            "last_modified": "2015-03-31T01:20:21.077330",
            "permissions": {
                "group": "admin",
                "group_access": 7,
                "other_access": 7,
                "owner": "admin",
                "owner_access": 7
            },
            "user_visible": true,
            "uuid": {
                "uuid_lslong": 12162952116600051086,
                "uuid_mslong": 5671181053785623990
            }
        },
        "is_shared": false,
        "name": "VN2",
        "network_ipam_refs": [
            {
                "attr": {
                    "ipam_subnets": [
                        {
                            "addr_from_start": true,
                            "allocation_pools": [],
                            "default_gateway": "50.0.0.1",
                            "dhcp_option_list": {
                                "dhcp_option": []
                            },
                            "dns_server_address": "50.0.0.2",
                            "enable_dhcp": true,
                            "host_routes": {
                                "route": []
                            },
                            "subnet": {
                                "ip_prefix": "50.0.0.0",
                                "ip_prefix_len": 24
                            },
                            "subnet_uuid": "03fa4411-4c89-49ec-98f6-6b8d746fed7d"
                        }
                    ]
                },
                "href": "http://172.27.113.85:8082/network-ipam/1723c3b6-6be2-4c90-ac5f-27e784bf444c",
                "to": [
                    "default-domain",
                    "default-project",
                    "default-network-ipam"
                ],
                "uuid": "1723c3b6-6be2-4c90-ac5f-27e784bf444c"
            }
        ],
        "parent_href": "http://172.27.113.85:8082/project/87096c40-210e-4502-a0f3-d077fb9364d1",
        "parent_type": "project",
        "parent_uuid": "87096c40-210e-4502-a0f3-d077fb9364d1",
        "route_target_list": {},
        "router_external": false,
        "routing_instances": [
            {
                "href": "http://172.27.113.85:8082/routing-instance/0b176ced-c347-4e14-a750-3d00837d415a",
                "to": [
                    "default-domain",
                    "demo",
                    "VN2",
                    "VN2"
                ],
                "uuid": "0b176ced-c347-4e14-a750-3d00837d415a"
            }
        ],
        "uuid": "4eb4151f-07d1-4db6-a8cb-7c820a08158e",
        "virtual_network_properties": {
            "allow_transit": false,
            "forwarding_mode": null,
            "network_id": 9,
            "rpf": null,
            "vxlan_network_identifier": null
        }
    }
}

Tags: config
Daisuke Nakajima (dnakajima)
information type: Proprietary → Public
Nagabhushana R (bhushana)
Changed in juniperopenstack:
importance: Undecided → Medium
tags: added: config
Hari Prasad Killi (haripk)
Changed in juniperopenstack:
assignee: nobody → Hampapur Ajay (hajay)
Revision history for this message
Hampapur Ajay (hajay) wrote :

what is the role of user apicheck? by default admin role gets to see resources in all tenants in keystone v2 mode.

Changed in juniperopenstack:
status: New → Incomplete
Revision history for this message
Ashish Ranjan (aranjan-n) wrote :

Daisuke San your concern is valid. With RBAC feature, non admin cannot even do this API.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.