Rename multi_tenancy flag in analytics to aaa_mode

Bug #1599654 reported by Megh Bhatt on 2016-07-06
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.0
Fix Committed
High
Megh Bhatt
R3.1
Fix Committed
High
Megh Bhatt
Trunk
In Progress
High
Megh Bhatt

Bug Description

Rename multi_tenancy flag in analytics to aaa_mode similar to config as explained in

https://github.com/Juniper/contrail-controller/wiki/RBAC

Raj Reddy (rajreddy) on 2016-07-11
Changed in juniperopenstack:
assignee: nobody → Megh Bhatt (meghb)

Review in progress for https://review.opencontrail.org/21910
Submitter: Megh Bhatt (<email address hidden>)

OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/21912
Submitter: Megh Bhatt (<email address hidden>)

OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/21917
Submitter: Megh Bhatt (<email address hidden>)

OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/21910
Submitter: Megh Bhatt (<email address hidden>)

OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/21912
Submitter: Megh Bhatt (<email address hidden>)

Reviewed: https://review.opencontrail.org/21912
Committed: http://github.org/Juniper/contrail-puppet/commit/3afb90ad04026454ef7f1adb68889bc00594522b
Submitter: Zuul
Branch: master

commit 3afb90ad04026454ef7f1adb68889bc00594522b
Author: Megh Bhatt <email address hidden>
Date: Tue Jul 12 16:15:21 2016 -0700

Rename multi_tenancy to aaa_mode for analytics API

Change-Id: I7b135d5c8d34b9d3434b3bea767eab4790a26bc7
Partial-Bug: #1599654

Review in progress for https://review.opencontrail.org/21996
Submitter: Megh Bhatt (<email address hidden>)

Reviewed: https://review.opencontrail.org/21910
Committed: http://github.org/Juniper/contrail-provisioning/commit/97c3c396de54d118dc63a278ae9ecc0cad3a2c5d
Submitter: Zuul
Branch: master

commit 97c3c396de54d118dc63a278ae9ecc0cad3a2c5d
Author: Megh Bhatt <email address hidden>
Date: Tue Jul 12 16:12:27 2016 -0700

Rename multi_tenancy to aaa_mode for analytics API

Change-Id: I0c0739ec41e907c968af5ffcf2b77d19d4efaa21
Partial-Bug: #1599654

Review in progress for https://review.opencontrail.org/21917
Submitter: Megh Bhatt (<email address hidden>)

Reviewed: https://review.opencontrail.org/21996
Committed: http://github.org/Juniper/contrail-puppet/commit/0fcf51aa3454e591b9c5ea8b22988a15ae75a6a8
Submitter: Zuul
Branch: R3.1

commit 0fcf51aa3454e591b9c5ea8b22988a15ae75a6a8
Author: Megh Bhatt <email address hidden>
Date: Tue Jul 12 16:15:21 2016 -0700

Rename multi_tenancy to aaa_mode for analytics API

Change-Id: I7b135d5c8d34b9d3434b3bea767eab4790a26bc7
Partial-Bug: #1599654
(cherry picked from commit 3afb90ad04026454ef7f1adb68889bc00594522b)

Review in progress for https://review.opencontrail.org/21917
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22273
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22281
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22282
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/21917
Submitter: Megh Bhatt (<email address hidden>)

Reviewed: https://review.opencontrail.org/22273
Committed: http://github.org/Juniper/contrail-provisioning/commit/ad5f349ac83e61a77fdd5897dce3f65b546df990
Submitter: Zuul
Branch: R3.1

commit ad5f349ac83e61a77fdd5897dce3f65b546df990
Author: Megh Bhatt <email address hidden>
Date: Tue Jul 12 16:12:27 2016 -0700

Rename multi_tenancy to aaa_mode for analytics API

Change-Id: I0c0739ec41e907c968af5ffcf2b77d19d4efaa21
Partial-Bug: #1599654
(cherry picked from commit 97c3c396de54d118dc63a278ae9ecc0cad3a2c5d)

Review in progress for https://review.opencontrail.org/22282
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22414
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/21917
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22282
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22443
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22444
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22282
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/21917
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22282
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22492
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22499
Submitter: Megh Bhatt (<email address hidden>)

Reviewed: https://review.opencontrail.org/22282
Committed: http://github.org/Juniper/contrail-controller/commit/a2a7c9248b3d9830d491ab6baf7d21bd9aa64ff6
Submitter: Zuul
Branch: R3.1

commit a2a7c9248b3d9830d491ab6baf7d21bd9aa64ff6
Author: Megh Bhatt <email address hidden>
Date: Tue Jul 12 16:34:17 2016 -0700

Rename multi_tenancy to aaa_mode for analytics API

Handle keystone v2 and v3 token infos returned by
VNC API. Enable cloud-admin-only aaa_mode by default

Change analytics DB and underlay to overlay mapper to
use local admin port when quering opserver

Do not cache auth_token in vnc lib

Change-Id: Id715e40fe3996964b5298da1cd63c248243071dd
Closes-Bug: #1599654

Reviewed: https://review.opencontrail.org/22444
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/0e2b8dab64a704fe01415b71365e23e618e783a5
Submitter: Zuul
Branch: R3.1

commit 0e2b8dab64a704fe01415b71365e23e618e783a5
Author: Megh Bhatt <email address hidden>
Date: Thu Jul 21 10:44:17 2016 -0700

Fabric changes to rename analytics_multi_tenancy to analytics_aaa_mode

Rename analytics_multi_tenancy to analytics_aaa_mode which can have
values "no-auth" and "cloud-admin-only". Also set it to
"cloud-admin-only" by default

Change-Id: Ic0348e06dfc717d09686dbed96c6b9df08740fb1
Partial-Bug: #1599654

Reviewed: https://review.opencontrail.org/22443
Committed: http://github.org/Juniper/contrail-test-ci/commit/1eb5678528d036f7a46a14dd4010667c4ac44be4
Submitter: Zuul
Branch: R3.1

commit 1eb5678528d036f7a46a14dd4010667c4ac44be4
Author: Megh Bhatt <email address hidden>
Date: Mon Jul 25 23:27:14 2016 -0700

Change VerificationOpsSrv to use admin credentials for auth

After changing default aaa mode to cloud-admin-only for contrail-analytics-api
we need to change VerificationOpsSrv to use admin credentials when
getting auth token to send to contrail-analytics-api instead of
stack user credentials.

Change-Id: I9692c57add27b2bacc3d0c05d59690c3e2c82b7f
Partial-Bug: #1599654

Review in progress for https://review.opencontrail.org/22540
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22544
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/21917
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22536
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22498
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22543
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22490
Submitter: Megh Bhatt (<email address hidden>)

Reviewed: https://review.opencontrail.org/22414
Committed: http://github.org/Juniper/contrail-test-ci/commit/47500f0c2fdaeef8526e0e6ada53cafbbc42c6bd
Submitter: Zuul
Branch: master

commit 47500f0c2fdaeef8526e0e6ada53cafbbc42c6bd
Author: Megh Bhatt <email address hidden>
Date: Mon Jul 25 23:27:14 2016 -0700

Change VerificationOpsSrv to use admin credentials for auth

After changing default aaa mode to cloud-admin-only for contrail-analytics-api
we need to change VerificationOpsSrv to use admin credentials when
getting auth token to send to contrail-analytics-api instead of
stack user credentials.

Change-Id: I9692c57add27b2bacc3d0c05d59690c3e2c82b7f
Partial-Bug: #1599654

Review in progress for https://review.opencontrail.org/22536
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22498
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22971
Submitter: Megh Bhatt (<email address hidden>)

Reviewed: https://review.opencontrail.org/22971
Committed: http://github.org/Juniper/contrail-test-ci/commit/84a73d69340a62deef2c8113249f8144d1819489
Submitter: Zuul
Branch: R3.0

commit 84a73d69340a62deef2c8113249f8144d1819489
Author: Ankit Jain <email address hidden>
Date: Thu Aug 4 11:10:31 2016 -0700

1. Pass auth header in post_query request

Fix for test_verify_object_logs
Needed to pass auth header in post_query request
Pass expect : 202 in query header to get qid

2. Script fix required after Secured Access for Analytic REST API- 8081 in R3.1(master):
1. we need to pass inputs in VerificationOpsSrv now which can be used for authentication in class JsonDrv

(cherry picked from commit 55eb03b234249a007cbb1a4fb00a34914d557132)

3. Change VerificationOpsSrv to use admin credentials for auth

After changing default aaa mode to cloud-admin-only for contrail-analytics-api
we need to change VerificationOpsSrv to use admin credentials when
getting auth token to send to contrail-analytics-api instead of
stack user credentials.

Partial-Bug: #1599654
(cherry picked from commit 1eb5678528d036f7a46a14dd4010667c4ac44be4)

Change-Id: I9692c57add27b2bacc3d0c05d59690c3e2c82b7f

Review in progress for https://review.opencontrail.org/22536
Submitter: Megh Bhatt (<email address hidden>)

Reviewed: https://review.opencontrail.org/22281
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/b3ea0fab1749006fc3912dd01fa7e99dfcb0ca14
Submitter: Zuul
Branch: master

commit b3ea0fab1749006fc3912dd01fa7e99dfcb0ca14
Author: Megh Bhatt <email address hidden>
Date: Thu Jul 21 10:44:17 2016 -0700

Fabric changes to rename analytics_multi_tenancy to analytics_aaa_mode

Rename analytics_multi_tenancy to analytics_aaa_mode which can have
values "no-auth" and "cloud-admin-only". Also set it to
"cloud-admin-only" by default

Change-Id: Ic0348e06dfc717d09686dbed96c6b9df08740fb1
Partial-Bug: #1599654

Review in progress for https://review.opencontrail.org/22536
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/23189
Submitter: Megh Bhatt (<email address hidden>)

Reviewed: https://review.opencontrail.org/22490
Committed: http://github.org/Juniper/contrail-puppet/commit/de213a3667bcc7563bc0f290f7120725bad357e0
Submitter: Zuul
Branch: R3.0

commit de213a3667bcc7563bc0f290f7120725bad357e0
Author: Megh Bhatt <email address hidden>
Date: Tue Jun 14 11:35:28 2016 -0700

1. Puppet changes for cloud admin access to contrail-analytics-api

Closes-Bug: #1461175
(cherry picked from commit 40982d6b7fc5e006397f845cfdcdbf16f1020f8d)

2. Rename cloud_admin_access_only to multi_tenancy and default to False for now

Closes-Bug: #1461175
(cherry picked from commit 21f40965faada6c92be194124ca7affbbb7e779b)

3. Rename multi_tenancy to aaa_mode for analytics API

Partial-Bug: #1599654
(cherry picked from commit 3afb90ad04026454ef7f1adb68889bc00594522b)

Change-Id: Ib58572052d8159398da973076c139e8aecc02268

Reviewed: https://review.opencontrail.org/23189
Committed: http://github.org/Juniper/contrail-test-ci/commit/90396c7365e43a73187e0d496c1055c0b26b9ea1
Submitter: Zuul
Branch: master

commit 90396c7365e43a73187e0d496c1055c0b26b9ea1
Author: Ankit Jain <email address hidden>
Date: Thu Aug 4 11:10:31 2016 -0700

1. Pass auth header in post_query request

Fix for test_verify_object_logs
Needed to pass auth header in post_query request
Pass expect : 202 in query header to get qid

Partial-Bug: #1599654
(cherry picked from commit 1eb5678528d036f7a46a14dd4010667c4ac44be4)

Change-Id: Ieb39bdfea09a22160b2b148842434214b0a09152

Reviewed: https://review.opencontrail.org/22498
Committed: http://github.org/Juniper/contrail-provisioning/commit/e1f2af6433bfae9b098cc6cdbccda5e635e05c2b
Submitter: Zuul
Branch: R3.0

commit e1f2af6433bfae9b098cc6cdbccda5e635e05c2b
Author: Megh Bhatt <email address hidden>
Date: Sat Jun 11 01:11:32 2016 -0700

1. Add provisioning of cloud_admin_access_only

Enable cloud_admin_access_only by default. Add a parameter --no_multi_tenancy
to setup-vnc-collector to disable cloud_admin_access_only. Remove templates
for ini files for contrail-analytics-api, contrail-collector, and
contrail-query-engine and for conf file of contrail-analytics-api

Partial-Bug: #1461175
(cherry picked from commit ec3c1741b5a2f7b49bc18a6b85421e0584c2494e)

Conflicts:
 contrail_provisioning/collector/setup.py

2. Rename multi_tenancy to aaa_mode for analytics API

Partial-Bug: #1599654
(cherry picked from commit 97c3c396de54d118dc63a278ae9ecc0cad3a2c5d)

Conflicts:
 contrail_provisioning/collector/setup.py

3. Fix provisioning failure in setup-vnc-collector

Configure memcache servers in /etc/contrail/contrail-keystone-auth.conf
only from config node setup

Closes-Bug: #1606654
(cherry picked from commit 98de6812efad7c44e342dfa5d4105c82107826a4)

Conflicts:
 contrail_provisioning/common/base.py

4. Rename multi_tenancy to aaa_mode in upgrade path for analytics node

Closes-Bug: #1607469
(cherry picked from commit b8f4c6906a6f643873436d31f630c155f4d1d07e)

5. Changes to bring analytics authenticated access in sync with config

1. Rename aaa_mode value cloud-admin-only to cloud-admin
2. CLOUD_ADMIN_ROLE defaults to admin instead of cloud-admin

Partial-Bug: #1607563
(cherry picked from commit 3e8d8412dc8f9e52f12261a173bff34202366f8b)

Conflicts:
 contrail_provisioning/collector/setup.py

Change-Id: I56dd3e14a7a2ad8d676decf3dbbb2170170a957b

Review in progress for https://review.opencontrail.org/22536
Submitter: Megh Bhatt (<email address hidden>)

information type: Proprietary → Public

Review in progress for https://review.opencontrail.org/21917
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22536
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22543
Submitter: Megh Bhatt (<email address hidden>)

Review in progress for https://review.opencontrail.org/22536
Submitter: Megh Bhatt (<email address hidden>)

Reviewed: https://review.opencontrail.org/21917
Committed: http://github.org/Juniper/contrail-controller/commit/051a2c1851419b7081db5e611a40ebc57235b52f
Submitter: Zuul
Branch: master

commit 051a2c1851419b7081db5e611a40ebc57235b52f
Author: Megh Bhatt <email address hidden>
Date: Tue Jul 12 16:34:17 2016 -0700

1. Rename multi_tenancy to aaa_mode for analytics API

Handle keystone v2 and v3 token infos returned by
VNC API. Enable cloud-admin-only aaa_mode by default

Change analytics DB and underlay to overlay mapper to
use local admin port when quering opserver

Do not cache auth_token in vnc lib

Closes-Bug: #1599654

2. Changes to bring analytics authenticated access in sync with config

1. Rename aaa_mode value cloud-admin-only to cloud-admin
2. CLOUD_ADMIN_ROLE defaults to admin instead of cloud-admin

Partial-Bug: #1607563
(cherry picked from commit 42db6e38e55bc2410297a99c2af3bea03faa938c)

3. Fix missing import of OpServerUtils in analytics_db.py

Closes-Bug: #1609054
(cherry picked from commit cf5f0567c9bb03e83cd83515b775d2018e668d0c)

4. Remove aaa_mode value cloud-admin-only

Closes-Bug: #1609987
(cherry picked from commit 58a8a0fe3a404b5e6a11b01008064b96ed66109e)

5. Keep on trying to create VNC API client from analytics API

The gevent that creates the VNC API client was exiting due to
authentication failure exception. Changed code to handle all
exceptions and keep on trying to create the API client. The
node status will show the API connection down in case we are
not able to create the VNC API client.

Closes-Bug: #1611158
(cherry picked from commit 8072aa5ffd37e4082d7ae9697020a6160e8d2682)

6. Change the obj-perms API to pass in the user token in HTTP headers

With PKI tokens, when user token was passed in query parameters for
obj-perms API the token was getting truncated. Changed the API
to accept user token in X-USER-TOKEN HTTP header.

Closes-Bug: #1614376

Conflicts:
 src/config/api-server/tests/test_perms2.py

7. Fix issue with retrieving the db usage info in analytics-api

Closes-Bug: #1614285
(cherry picked from commit 0ec8bf74ba106d655b9a72398f0c9380c2755497)

Change-Id: Id715e40fe3996964b5298da1cd63c248243071dd

Reviewed: https://review.opencontrail.org/22543
Committed: http://github.org/Juniper/contrail-fabric-utils/commit/c1ec7d90fdea91d0453efecb68c1d27f333248a1
Submitter: Zuul
Branch: R3.0

commit c1ec7d90fdea91d0453efecb68c1d27f333248a1
Author: Megh Bhatt <email address hidden>
Date: Mon Jun 13 19:26:54 2016 -0700

1. fabric changes for cloud admin access to contrail-analytics-api

Use the multi tenancy flag and the orchestrator to decide to enable
or disable cloud admin access to contrail-analytics-api

Conflicts:
 fabfile/testbeds/testbed_multibox_example.py
 fabfile/testbeds/testbed_singlebox_example.py

Partial-Bug: #1461175
(cherry picked from commit 4ef98bb9a1540495e1e99e6dcde480fd292de3d9)

2. Fabric changes to rename analytics_multi_tenancy to analytics_aaa_mode

Rename analytics_multi_tenancy to analytics_aaa_mode which can have
values "no-auth" and "cloud-admin-only". Also set it to
"cloud-admin-only" by default

Partial-Bug: #1599654
(cherry picked from commit 0e2b8dab64a704fe01415b71365e23e618e783a5)

3. Changes to bring analytics authenticated access in sync with config

1. Rename cloud-admin-only to cloud-admin for analytics AAA mode
2. Add parameter cloud_admin_role to allow users to set the cloud-admon
role name in testbed.py

Closes-Bug: #1607563
(cherry picked from commit c9c33da72474854ec0d4e12bbce593d278d7b378)

Change-Id: I73ff8d47ccc2c693f4531cfc9d1b40eab16e70d7

Review in progress for https://review.opencontrail.org/22536
Submitter: Megh Bhatt (<email address hidden>)

Download full text (3.7 KiB)

Reviewed: https://review.opencontrail.org/22536
Committed: http://github.org/Juniper/contrail-controller/commit/761ffd96941cd9ec2f670675fbe553080c4790ec
Submitter: Zuul
Branch: R3.0

commit 761ffd96941cd9ec2f670675fbe553080c4790ec
Author: Megh Bhatt <email address hidden>
Date: Wed Jun 8 18:21:34 2016 -0700

1. Add option for cloud admin access only for analytics REST API

Allow cloud admin role access only for analytics REST API controlled
via --cloud_admin_access_only currently defaulted to False but will default
to True once provisioning changes are done. contrail-analytics-api will
validate role from the X-Auth-Token header via vnc_api/contrail-api. For
debug/administration a localhost bound port 8181 - --admin_port is provided
that requires basic HTTP access authentication.

Clients of analytics REST API - contrail-flows, contrail-logs, contrail-stats,
contrail-topology are changed to use admin port. contrail-svc-monitor is changed
to use auth token.

Conflicts:
 src/opserver/SConscript

Partial-Bug: #1461175
(cherry picked from commit 5492f71383123fea8240ca265e125aee28d9349f)

2. Rename cloud_admin_access_only to multi_tenancy in contrail-analytics-api

Closes-Bug: #1461175
(cherry picked from commit 36df0991a47068bcb6af8cd219e416e2ca60d4cd)

3. for bool option, a conversion from string to bool is required.
Closes-Bug: #1595044

(cherry picked from commit 1d6b81bccf5a7aee39fbb60bd25152e1b8726206)

4. Change cloud admin role name to "cloud-admin" from "admin" for
analytics API access

Closes-Bug: #1600699
(cherry picked from commit 8c131016252a22c52cdfab8042571598818f82c3)

5. Rename multi_tenancy to aaa_mode for analytics API

Handle keystone v2 and v3 token infos returned by
VNC API. Enable cloud-admin-only aaa_mode by default

Change analytics DB and underlay to overlay mapper to
use local admin port when quering opserver

Do not cache auth_token in vnc lib

Closes-Bug: #1599654
(cherry picked from commit a2a7c9248b3d9830d491ab6baf7d21bd9aa64ff6)

6. Changes to bring analytics authenticated access in sync with config

1. Rename aaa_mode value cloud-admin-only to cloud-admin
2. CLOUD_ADMIN_ROLE defaults to admin instead of cloud-admin

Partial-Bug: #1607563
(cherry picked from commit 42db6e38e55bc2410297a99c2af3bea03faa938c)

7. Fix missing import of OpServerUtils in analytics_db.py

Closes-Bug: #1609054
(cherry picked from commit cf5f0567c9bb03e83cd83515b775d2018e668d0c)

8. Remove aaa_mode value cloud-admin-only

Closes-Bug: #1609987

9. Keep on trying to create VNC API client from analytics API

The gevent that creates the VNC API client was exiting due to
authentication failure exception. Changed code to handle all
exceptions and keep on trying to create the API client. The
node status will show the API connection down in case we are
not able to create the VNC API client.

Closes-Bug: #1611158
(cherry picked from commit 8072aa5ffd37e4082d7ae9697020a6160e8d2682)

10. Keystone middleware doesn't like if token is unicode. It must be converted
to string before validation.

Fixes-Bug: #1604773
(cherry picked from commit 18df64367eb5468bbca403aef4f2d22d02be4636)

11. Change the obj-perms API to pass in the user token in HTTP headers

...

Read more...

Review in progress for https://review.opencontrail.org/40095
Submitter: Ankit Jain (<email address hidden>)

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers