Juniper Openstack

  1. Bug #1583745
  2. Comment #0

Comment 0 for bug 1583745

Revision history for this message
Akila (akila-a) wrote : RBAC - default-domain:default-api-access list needs to be updated with minimal R cred for all users

RBAC - default-domain:default-api-access list needs to be updated with minimal R cred for all users

Currently the default-api-access does not have 'project' read access for any role including admin, because of which the admin is not able to create a network in his tennant. This fails at the o=project, op=R step:

root@a5d02e33:~# neutron net-create test-rbac
An unknown exception occurred.
root@a5d02e33:~#

DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=5, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) virtual-network.* admin:CRUD,Member:CRU,test:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError:
--- admin=no, u=new-rbac-admin, r='admin,_member_'

root@a5d02e33:~# keystone token-get
+-----------+----------------------------------+
| Property | Value |
 +-----------+----------------------------------+
| expires | 2016-05-19T18:31:29Z |
| id | 53ba33256b6f4ffebe984757c0bc0c5a |
| tenant_id | a1c652329baf451b8ba1e1b9f1282b1c |
| user_id | 2d999d17d7364807b93e9ddf19ae0882 |
 +-----------+----------------------------------+
root@a5d02e33:~#
root@a5d02e33:~# curl -H 'X-AUTH-TOKEN: 53ba33256b6f4ffebe984757c0bc0c5a' http://127.0.0.1:8082/project/a1c652329baf451b8ba1e1b9f1282b1c
Permission Denied
root@a5d02e33:~# keystone tenant-list
+----------------------------------+--------------------+---------+
| id | name | enabled |
 +----------------------------------+--------------------+---------+
| 10357a4826cb4068bb7afc6b4f788291 | admin | True |
| 2fa850a59eec4c94b2f9d73e62122d5b | demo | True |
| 38f63c3f64f44f6c98f686fb6688b10b | invisible_to_admin | True |
| a1c652329baf451b8ba1e1b9f1282b1c | new-rbac-tenant | True |
| 254090e351f54abe97108f4696712b32 | rbac-test | True |
| 44091587af0946cca15b8d3a8b7e3dbe | service | True |
 +----------------------------------+--------------------+---------+
root@a5d02e33:~# keystone user-role-list --user new-rbac-admin --tenant a1c652329baf451b8ba1e1b9f1282b1c
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
 +----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 2d999d17d7364807b93e9ddf19ae0882 | a1c652329baf451b8ba1e1b9f1282b1c |
| 08843657439f4db690a96ce9e6962e93 | admin | 2d999d17d7364807b93e9ddf19ae0882 | a1c652329baf451b8ba1e1b9f1282b1c |
 +----------------------------------+----------+----------------------------------+----------------------------------+
root@a5d02e33:~#

root@a5d02e33:~# env | grep OS
OS_PASSWORD=rbac123
OS_AUTH_URL=http://10.87.129.224:5000/v2.0/
OS_USERNAME=new-rbac-admin
OS_TENANT_NAME=new-rbac-tenant
OS_NO_CACHE=1
LESSCLOSE=/usr/bin/lesspipe %s %s
root@a5d02e33:~#

After adding "project *:R" admin is able to create network:

10.87.143.116 - - [2016-05-19 11:06:53] "GET /project/a1c65232-9baf-451b-8ba1-e1b9f1282b1c HTTP/1.1" 401 196 0.017696
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: u=new-rbac-admin, r=[u'admin', u'_member_'], o=project, op=R, rules=6, proj:a1c652329baf451b8ba1e1b9f1282b1c(new-rbac-tenant), dom:None
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 3) documentation *:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 4) project.* *:R, (1,True)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 5) virtual-network.* admin:CRUD,Member:CRU,test:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: Rule 6) virtual-networks.* admin:CRUD,Member:CRU,test:R, (-1,False)
DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiError: +++ admin=no, u=new-rbac-admin, r='admin,_member_'

root@a5d02e33:~# neutron net-create net-2
Created a new network:
+-------------------------+--------------------------------------+
| Field | Value |
 +-------------------------+--------------------------------------+
| admin_state_up | True |
| contrail:fq_name | default-domain |
| | new-rbac-tenant |
| | net-2 |
| contrail:instance_count | 0 |
| id | 4627a227-5b67-4195-9f84-e6993f5ad4e0 |
| name | net-2 |
| router:external | False |
| shared | False |
| status | ACTIVE |
| subnets | |
| tenant_id | a1c652329baf451b8ba1e1b9f1282b1c |
 +-------------------------+--------------------------------------+
root@a5d02e33:~#