Juniper Openstack

Bug #1583745
Activity log

Activity log for bug #1583745

Date	Who	What changed	Old value	New value	Message
2016-05-19 18:44:48	Akila	bug			added bug
2016-05-19 18:44:57	Akila	information type	Proprietary	Public
2016-05-19 22:24:17	Akila	summary	RBAC - default-domain:default-api-access list needs to be updated with minimal R cred for all users	RBAC - default-domain:default-api-access list needs to be updated creds to certain objects
2016-05-19 22:25:08	Akila	description	RBAC - default-domain:default-api-access list needs to be updated with minimal R cred for all users Currently the default-api-access does not have 'project' read access for any role including admin, because of which the admin is not able to create a network in his tennant. This fails at the o=project, op=R step: root@a5d02e33:~# neutron net-create test-rbac An unknown exception occurred. root@a5d02e33:~# DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=5, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: --- admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# keystone token-get +-----------+----------------------------------+ \| Property \| Value \| +-----------+----------------------------------+ \| expires \| 2016-05-19T18:31:29Z \| \| id \| 53ba33256b6f4ffebe984757c0bc0c5a \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| \| user_id \| 2d999d17d7364807b93e9ddf19ae0882 \| +-----------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# curl -H 'X-AUTH-TOKEN: 53ba33256b6f4ffebe984757c0bc0c5a' http://127.0.0.1:8082/project/a1c652329baf451b8ba1e1b9f1282b1c Permission Denied root@a5d02e33:~# keystone tenant-list +----------------------------------+--------------------+---------+ \| id \| name \| enabled \| +----------------------------------+--------------------+---------+ \| 10357a4826cb4068bb7afc6b4f788291 \| admin \| True \| \| 2fa850a59eec4c94b2f9d73e62122d5b \| demo \| True \| \| 38f63c3f64f44f6c98f686fb6688b10b \| invisible_to_admin \| True \| \| a1c652329baf451b8ba1e1b9f1282b1c \| new-rbac-tenant \| True \| \| 254090e351f54abe97108f4696712b32 \| rbac-test \| True \| \| 44091587af0946cca15b8d3a8b7e3dbe \| service \| True \| +----------------------------------+--------------------+---------+ root@a5d02e33:~# keystone user-role-list --user new-rbac-admin --tenant a1c652329baf451b8ba1e1b9f1282b1c +----------------------------------+----------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+----------+----------------------------------+----------------------------------+ \| 9fe2ff9ee4384b1894a90878d3e92bab \| _member_ \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| \| 08843657439f4db690a96ce9e6962e93 \| admin \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| +----------------------------------+----------+----------------------------------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# env \| grep OS OS_PASSWORD=rbac123 OS_AUTH_URL=http://10.87.129.224:5000/v2.0/ OS_USERNAME=new-rbac-admin OS_TENANT_NAME=new-rbac-tenant OS_NO_CACHE=1 LESSCLOSE=/usr/bin/lesspipe %s %s root@a5d02e33:~# After adding "project :R" admin is able to create network: 10.87.143.116 - - [2016-05-19 11:06:53] "GET /project/a1c65232-9baf-451b-8ba1-e1b9f1282b1c HTTP/1.1" 401 196 0.017696 DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=6, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) project.* :R, (1,True) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: +++ admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# neutron net-create net-2 Created a new network: +-------------------------+--------------------------------------+ \| Field \| Value \| +-------------------------+--------------------------------------+ \| admin_state_up \| True \| \| contrail:fq_name \| default-domain \| \| \| new-rbac-tenant \| \| \| net-2 \| \| contrail:instance_count \| 0 \| \| id \| 4627a227-5b67-4195-9f84-e6993f5ad4e0 \| \| name \| net-2 \| \| router:external \| False \| \| shared \| False \| \| status \| ACTIVE \| \| subnets \| \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| +-------------------------+--------------------------------------+ root@a5d02e33:~#	RBAC - default-domain:default-api-access list needs to be updated with minimal R cred for all users Currently the default-api-access does not have 'project' read access for any role including admin, because of which the admin is not able to create a network in his tennant. This fails at the o=project, op=R step: root@a5d02e33:~# neutron net-create test-rbac An unknown exception occurred. root@a5d02e33:~# DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=5, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: --- admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# keystone token-get +-----------+----------------------------------+ \| Property \| Value \| +-----------+----------------------------------+ \| expires \| 2016-05-19T18:31:29Z \| \| id \| 53ba33256b6f4ffebe984757c0bc0c5a \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| \| user_id \| 2d999d17d7364807b93e9ddf19ae0882 \| +-----------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# curl -H 'X-AUTH-TOKEN: 53ba33256b6f4ffebe984757c0bc0c5a' http://127.0.0.1:8082/project/a1c652329baf451b8ba1e1b9f1282b1c Permission Denied root@a5d02e33:~# keystone tenant-list +----------------------------------+--------------------+---------+ \| id \| name \| enabled \| +----------------------------------+--------------------+---------+ \| 10357a4826cb4068bb7afc6b4f788291 \| admin \| True \| \| 2fa850a59eec4c94b2f9d73e62122d5b \| demo \| True \| \| 38f63c3f64f44f6c98f686fb6688b10b \| invisible_to_admin \| True \| \| a1c652329baf451b8ba1e1b9f1282b1c \| new-rbac-tenant \| True \| \| 254090e351f54abe97108f4696712b32 \| rbac-test \| True \| \| 44091587af0946cca15b8d3a8b7e3dbe \| service \| True \| +----------------------------------+--------------------+---------+ root@a5d02e33:~# keystone user-role-list --user new-rbac-admin --tenant a1c652329baf451b8ba1e1b9f1282b1c +----------------------------------+----------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+----------+----------------------------------+----------------------------------+ \| 9fe2ff9ee4384b1894a90878d3e92bab \| _member_ \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| \| 08843657439f4db690a96ce9e6962e93 \| admin \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| +----------------------------------+----------+----------------------------------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# env \| grep OS OS_PASSWORD=rbac123 OS_AUTH_URL=http://10.87.129.224:5000/v2.0/ OS_USERNAME=new-rbac-admin OS_TENANT_NAME=new-rbac-tenant OS_NO_CACHE=1 LESSCLOSE=/usr/bin/lesspipe %s %s root@a5d02e33:~# After adding "project :R" admin is able to create network: 10.87.143.116 - - [2016-05-19 11:06:53] "GET /project/a1c65232-9baf-451b-8ba1-e1b9f1282b1c HTTP/1.1" 401 196 0.017696 DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=6, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) project.* :R, (1,True) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: +++ admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# neutron net-create net-2 Created a new network: +-------------------------+--------------------------------------+ \| Field \| Value \| +-------------------------+--------------------------------------+ \| admin_state_up \| True \| \| contrail:fq_name \| default-domain \| \| \| new-rbac-tenant \| \| \| net-2 \| \| contrail:instance_count \| 0 \| \| id \| 4627a227-5b67-4195-9f84-e6993f5ad4e0 \| \| name \| net-2 \| \| router:external \| False \| \| shared \| False \| \| status \| ACTIVE \| \| subnets \| \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| +-------------------------+--------------------------------------+ root@a5d02e33:~# Similar issues is seen with the following objects: ref-update useragent-kv
2016-05-19 22:27:10	Akila	summary	RBAC - default-domain:default-api-access list needs to be updated creds to certain objects	RBAC - default-domain:default-api-access list needs to be updated with creds to certain objects
2016-05-20 17:55:56	Jeba Paulaiyan	tags	rbac	config rbac
2016-05-20 17:56:41	Jeba Paulaiyan	juniperopenstack: importance	Undecided	High
2016-05-20 18:08:55	Akila	description	RBAC - default-domain:default-api-access list needs to be updated with minimal R cred for all users Currently the default-api-access does not have 'project' read access for any role including admin, because of which the admin is not able to create a network in his tennant. This fails at the o=project, op=R step: root@a5d02e33:~# neutron net-create test-rbac An unknown exception occurred. root@a5d02e33:~# DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=5, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: --- admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# keystone token-get +-----------+----------------------------------+ \| Property \| Value \| +-----------+----------------------------------+ \| expires \| 2016-05-19T18:31:29Z \| \| id \| 53ba33256b6f4ffebe984757c0bc0c5a \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| \| user_id \| 2d999d17d7364807b93e9ddf19ae0882 \| +-----------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# curl -H 'X-AUTH-TOKEN: 53ba33256b6f4ffebe984757c0bc0c5a' http://127.0.0.1:8082/project/a1c652329baf451b8ba1e1b9f1282b1c Permission Denied root@a5d02e33:~# keystone tenant-list +----------------------------------+--------------------+---------+ \| id \| name \| enabled \| +----------------------------------+--------------------+---------+ \| 10357a4826cb4068bb7afc6b4f788291 \| admin \| True \| \| 2fa850a59eec4c94b2f9d73e62122d5b \| demo \| True \| \| 38f63c3f64f44f6c98f686fb6688b10b \| invisible_to_admin \| True \| \| a1c652329baf451b8ba1e1b9f1282b1c \| new-rbac-tenant \| True \| \| 254090e351f54abe97108f4696712b32 \| rbac-test \| True \| \| 44091587af0946cca15b8d3a8b7e3dbe \| service \| True \| +----------------------------------+--------------------+---------+ root@a5d02e33:~# keystone user-role-list --user new-rbac-admin --tenant a1c652329baf451b8ba1e1b9f1282b1c +----------------------------------+----------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+----------+----------------------------------+----------------------------------+ \| 9fe2ff9ee4384b1894a90878d3e92bab \| _member_ \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| \| 08843657439f4db690a96ce9e6962e93 \| admin \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| +----------------------------------+----------+----------------------------------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# env \| grep OS OS_PASSWORD=rbac123 OS_AUTH_URL=http://10.87.129.224:5000/v2.0/ OS_USERNAME=new-rbac-admin OS_TENANT_NAME=new-rbac-tenant OS_NO_CACHE=1 LESSCLOSE=/usr/bin/lesspipe %s %s root@a5d02e33:~# After adding "project :R" admin is able to create network: 10.87.143.116 - - [2016-05-19 11:06:53] "GET /project/a1c65232-9baf-451b-8ba1-e1b9f1282b1c HTTP/1.1" 401 196 0.017696 DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=6, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) project.* :R, (1,True) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: +++ admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# neutron net-create net-2 Created a new network: +-------------------------+--------------------------------------+ \| Field \| Value \| +-------------------------+--------------------------------------+ \| admin_state_up \| True \| \| contrail:fq_name \| default-domain \| \| \| new-rbac-tenant \| \| \| net-2 \| \| contrail:instance_count \| 0 \| \| id \| 4627a227-5b67-4195-9f84-e6993f5ad4e0 \| \| name \| net-2 \| \| router:external \| False \| \| shared \| False \| \| status \| ACTIVE \| \| subnets \| \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| +-------------------------+--------------------------------------+ root@a5d02e33:~# Similar issues is seen with the following objects: ref-update useragent-kv	RBAC - default-domain:default-api-access list needs to be updated with minimal R cred for all users Currently the default-api-access does not have 'project' read access for any role including admin, because of which the admin is not able to create a network in his tennant. This fails at the o=project, op=R step: root@a5d02e33:~# neutron net-create test-rbac An unknown exception occurred. root@a5d02e33:~# DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=5, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: --- admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# keystone token-get +-----------+----------------------------------+ \| Property \| Value \| +-----------+----------------------------------+ \| expires \| 2016-05-19T18:31:29Z \| \| id \| 53ba33256b6f4ffebe984757c0bc0c5a \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| \| user_id \| 2d999d17d7364807b93e9ddf19ae0882 \| +-----------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# curl -H 'X-AUTH-TOKEN: 53ba33256b6f4ffebe984757c0bc0c5a' http://127.0.0.1:8082/project/a1c652329baf451b8ba1e1b9f1282b1c Permission Denied root@a5d02e33:~# keystone tenant-list +----------------------------------+--------------------+---------+ \| id \| name \| enabled \| +----------------------------------+--------------------+---------+ \| 10357a4826cb4068bb7afc6b4f788291 \| admin \| True \| \| 2fa850a59eec4c94b2f9d73e62122d5b \| demo \| True \| \| 38f63c3f64f44f6c98f686fb6688b10b \| invisible_to_admin \| True \| \| a1c652329baf451b8ba1e1b9f1282b1c \| new-rbac-tenant \| True \| \| 254090e351f54abe97108f4696712b32 \| rbac-test \| True \| \| 44091587af0946cca15b8d3a8b7e3dbe \| service \| True \| +----------------------------------+--------------------+---------+ root@a5d02e33:~# keystone user-role-list --user new-rbac-admin --tenant a1c652329baf451b8ba1e1b9f1282b1c +----------------------------------+----------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+----------+----------------------------------+----------------------------------+ \| 9fe2ff9ee4384b1894a90878d3e92bab \| _member_ \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| \| 08843657439f4db690a96ce9e6962e93 \| admin \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| +----------------------------------+----------+----------------------------------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# env \| grep OS OS_PASSWORD=rbac123 OS_AUTH_URL=http://10.87.129.224:5000/v2.0/ OS_USERNAME=new-rbac-admin OS_TENANT_NAME=new-rbac-tenant OS_NO_CACHE=1 LESSCLOSE=/usr/bin/lesspipe %s %s root@a5d02e33:~# After adding "project :R" admin is able to create network: 10.87.143.116 - - [2016-05-19 11:06:53] "GET /project/a1c65232-9baf-451b-8ba1-e1b9f1282b1c HTTP/1.1" 401 196 0.017696 DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=6, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) project.* :R, (1,True) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: +++ admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# neutron net-create net-2 Created a new network: +-------------------------+--------------------------------------+ \| Field \| Value \| +-------------------------+--------------------------------------+ \| admin_state_up \| True \| \| contrail:fq_name \| default-domain \| \| \| new-rbac-tenant \| \| \| net-2 \| \| contrail:instance_count \| 0 \| \| id \| 4627a227-5b67-4195-9f84-e6993f5ad4e0 \| \| name \| net-2 \| \| router:external \| False \| \| shared \| False \| \| status \| ACTIVE \| \| subnets \| \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| +-------------------------+--------------------------------------+ root@a5d02e33:~# Similar issues is seen with the following objects: ref-update useragent-kv Also provide * *:R (read perms fro all objects for all roles)
2016-05-23 18:37:39	Akila	description	RBAC - default-domain:default-api-access list needs to be updated with minimal R cred for all users Currently the default-api-access does not have 'project' read access for any role including admin, because of which the admin is not able to create a network in his tennant. This fails at the o=project, op=R step: root@a5d02e33:~# neutron net-create test-rbac An unknown exception occurred. root@a5d02e33:~# DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=5, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: --- admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# keystone token-get +-----------+----------------------------------+ \| Property \| Value \| +-----------+----------------------------------+ \| expires \| 2016-05-19T18:31:29Z \| \| id \| 53ba33256b6f4ffebe984757c0bc0c5a \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| \| user_id \| 2d999d17d7364807b93e9ddf19ae0882 \| +-----------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# curl -H 'X-AUTH-TOKEN: 53ba33256b6f4ffebe984757c0bc0c5a' http://127.0.0.1:8082/project/a1c652329baf451b8ba1e1b9f1282b1c Permission Denied root@a5d02e33:~# keystone tenant-list +----------------------------------+--------------------+---------+ \| id \| name \| enabled \| +----------------------------------+--------------------+---------+ \| 10357a4826cb4068bb7afc6b4f788291 \| admin \| True \| \| 2fa850a59eec4c94b2f9d73e62122d5b \| demo \| True \| \| 38f63c3f64f44f6c98f686fb6688b10b \| invisible_to_admin \| True \| \| a1c652329baf451b8ba1e1b9f1282b1c \| new-rbac-tenant \| True \| \| 254090e351f54abe97108f4696712b32 \| rbac-test \| True \| \| 44091587af0946cca15b8d3a8b7e3dbe \| service \| True \| +----------------------------------+--------------------+---------+ root@a5d02e33:~# keystone user-role-list --user new-rbac-admin --tenant a1c652329baf451b8ba1e1b9f1282b1c +----------------------------------+----------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+----------+----------------------------------+----------------------------------+ \| 9fe2ff9ee4384b1894a90878d3e92bab \| _member_ \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| \| 08843657439f4db690a96ce9e6962e93 \| admin \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| +----------------------------------+----------+----------------------------------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# env \| grep OS OS_PASSWORD=rbac123 OS_AUTH_URL=http://10.87.129.224:5000/v2.0/ OS_USERNAME=new-rbac-admin OS_TENANT_NAME=new-rbac-tenant OS_NO_CACHE=1 LESSCLOSE=/usr/bin/lesspipe %s %s root@a5d02e33:~# After adding "project :R" admin is able to create network: 10.87.143.116 - - [2016-05-19 11:06:53] "GET /project/a1c65232-9baf-451b-8ba1-e1b9f1282b1c HTTP/1.1" 401 196 0.017696 DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=6, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) project.* :R, (1,True) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: +++ admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# neutron net-create net-2 Created a new network: +-------------------------+--------------------------------------+ \| Field \| Value \| +-------------------------+--------------------------------------+ \| admin_state_up \| True \| \| contrail:fq_name \| default-domain \| \| \| new-rbac-tenant \| \| \| net-2 \| \| contrail:instance_count \| 0 \| \| id \| 4627a227-5b67-4195-9f84-e6993f5ad4e0 \| \| name \| net-2 \| \| router:external \| False \| \| shared \| False \| \| status \| ACTIVE \| \| subnets \| \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| +-------------------------+--------------------------------------+ root@a5d02e33:~# Similar issues is seen with the following objects: ref-update useragent-kv Also provide * *:R (read perms fro all objects for all roles)	RBAC - default-domain:default-api-access list needs to be updated with minimal R cred for all users Currently the default-api-access does not have 'project' read access for any role including admin, because of which the admin is not able to create a network in his tennant. This fails at the o=project, op=R step: root@a5d02e33:~# neutron net-create test-rbac An unknown exception occurred. root@a5d02e33:~# DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=5, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: --- admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# keystone token-get +-----------+----------------------------------+ \| Property \| Value \| +-----------+----------------------------------+ \| expires \| 2016-05-19T18:31:29Z \| \| id \| 53ba33256b6f4ffebe984757c0bc0c5a \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| \| user_id \| 2d999d17d7364807b93e9ddf19ae0882 \| +-----------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# curl -H 'X-AUTH-TOKEN: 53ba33256b6f4ffebe984757c0bc0c5a' http://127.0.0.1:8082/project/a1c652329baf451b8ba1e1b9f1282b1c Permission Denied root@a5d02e33:~# keystone tenant-list +----------------------------------+--------------------+---------+ \| id \| name \| enabled \| +----------------------------------+--------------------+---------+ \| 10357a4826cb4068bb7afc6b4f788291 \| admin \| True \| \| 2fa850a59eec4c94b2f9d73e62122d5b \| demo \| True \| \| 38f63c3f64f44f6c98f686fb6688b10b \| invisible_to_admin \| True \| \| a1c652329baf451b8ba1e1b9f1282b1c \| new-rbac-tenant \| True \| \| 254090e351f54abe97108f4696712b32 \| rbac-test \| True \| \| 44091587af0946cca15b8d3a8b7e3dbe \| service \| True \| +----------------------------------+--------------------+---------+ root@a5d02e33:~# keystone user-role-list --user new-rbac-admin --tenant a1c652329baf451b8ba1e1b9f1282b1c +----------------------------------+----------+----------------------------------+----------------------------------+ \| id \| name \| user_id \| tenant_id \| +----------------------------------+----------+----------------------------------+----------------------------------+ \| 9fe2ff9ee4384b1894a90878d3e92bab \| _member_ \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| \| 08843657439f4db690a96ce9e6962e93 \| admin \| 2d999d17d7364807b93e9ddf19ae0882 \| a1c652329baf451b8ba1e1b9f1282b1c \| +----------------------------------+----------+----------------------------------+----------------------------------+ root@a5d02e33:~# root@a5d02e33:~# env \| grep OS OS_PASSWORD=rbac123 OS_AUTH_URL=http://10.87.129.224:5000/v2.0/ OS_USERNAME=new-rbac-admin OS_TENANT_NAME=new-rbac-tenant OS_NO_CACHE=1 LESSCLOSE=/usr/bin/lesspipe %s %s root@a5d02e33:~# After adding "project :R" admin is able to create network: 10.87.143.116 - - [2016-05-19 11:06:53] "GET /project/a1c65232-9baf-451b-8ba1-e1b9f1282b1c HTTP/1.1" 401 196 0.017696 DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=6, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation :R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) project.* :R, (1,True) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-network. admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False) DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: +++ admin=no, u=new-rbac-admin, r='admin,_member_' root@a5d02e33:~# neutron net-create net-2 Created a new network: +-------------------------+--------------------------------------+ \| Field \| Value \| +-------------------------+--------------------------------------+ \| admin_state_up \| True \| \| contrail:fq_name \| default-domain \| \| \| new-rbac-tenant \| \| \| net-2 \| \| contrail:instance_count \| 0 \| \| id \| 4627a227-5b67-4195-9f84-e6993f5ad4e0 \| \| name \| net-2 \| \| router:external \| False \| \| shared \| False \| \| status \| ACTIVE \| \| subnets \| \| \| tenant_id \| a1c652329baf451b8ba1e1b9f1282b1c \| +-------------------------+--------------------------------------+ root@a5d02e33:~# Please provide following access ref-update :CRUD useragent-kv :CRUD * *:R api-access-lists admin:CRUD api-access-list admin:CRUD
2016-07-07 23:34:49	shajuvk	nominated for series		juniperopenstack/trunk
2016-07-07 23:34:49	shajuvk	bug task added		juniperopenstack/trunk
2016-07-25 09:27:24	OpenContrail Admin	juniperopenstack/trunk: milestone	r3.1.0.0-fcs
2016-07-25 09:27:24	OpenContrail Admin	nominated for series		juniperopenstack/r3.1
2016-07-25 09:27:24	OpenContrail Admin	bug task added		juniperopenstack/r3.1
2016-07-25 09:27:24	OpenContrail Admin	bug task added		juniperopenstack/r3.1
2016-07-26 05:50:22	Vinay Mahuli	juniperopenstack/r3.1: importance	Undecided	High
2016-07-26 05:50:22	Vinay Mahuli	juniperopenstack/r3.1: assignee		Deepinder Setia (dsetia)
2016-07-29 20:09:47	Deepinder Setia	juniperopenstack/trunk: status	New	Won't Fix
2016-07-29 20:09:51	Deepinder Setia	juniperopenstack/r3.1: status	New	Won't Fix
2016-09-13 00:31:21	Jeba Paulaiyan	juniperopenstack: status	New	Won't Fix