Juniper Openstack

Bug #1625152
Activity log

Activity log for bug #1625152

Date	Who	What changed	Old value	New value	Message
2016-09-19 12:13:55	Ankit Jain	bug			added bug
2016-09-19 12:18:18	Ankit Jain	juniperopenstack: milestone	r3.0.3.0
2016-09-19 12:18:26	Ankit Jain	nominated for series		juniperopenstack/r3.0
2016-09-19 12:18:26	Ankit Jain	bug task added		juniperopenstack/r3.0
2016-09-19 12:18:36	Ankit Jain	juniperopenstack/r3.0: milestone		r3.0.3.0
2016-09-19 12:18:45	Ankit Jain	juniperopenstack/r3.0: assignee		Rahul (rahuls)
2016-09-19 17:27:15	Jeba Paulaiyan	juniperopenstack/r3.0: importance	Undecided	High
2016-09-19 18:36:58	Ankit Jain	description	User : user1 Tenants: user1 tenant1 role:contrail user1 tenant2 role:contrail UI login: user/pass: user1/contrail123 Project API Access ProjectObject.PropertyRoleAccess default-domain:tenant1.contrailCreate, Read, Update, Delete default-domain:tenant2.contrailCreate, Read, Update, Delete Issue: Permission denied for tenant1 on config pages, for tenant2 it works fine If I remove 'user1' member from tenant2, then it start working normally. contrail-api log: 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1, r=[u'contrail', u'_member_'], o=project, op=R, rules=6, proj:dcbe861ff9a5403eb809da2547e7a395(tenant2), dom:None 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation :R, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / :R, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) .* contrail:CRUD, (0,True) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1, r='contrail,_member_' 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = admin useragent = nodeg13:/usr/bin/contrail-api remote_ip = 127.0.0.1:9100 domain_name = default-domain project_name = admin object_type = project response_time_in_usec = 701 response_size = 188 resp_code = 200 >> 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:c4891e62-9340-45e7-8294-2b649dcea711) "project" ["default-domain", "tenant1"] admin=no, mode=444 mask=007 perms=700, (usr=dcbe861ff9a5403eb809da2547e7a395(tenant2)/own=c4891e62934045e782942b649dcea711/sh=[]) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1 doesn't have read permission in tenant c4891e62934045e782942b649dcea711 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiConfigLog: api_log = << identifier_uuid = c4891e62-9340-45e7-8294-2b649dcea711 object_type = project url = http://10.204.217.53:9100/project/c4891e62-9340-45e7-8294-2b649dcea711?exclude_back_refs=true&exclude_children=true operation = http_get useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain = default-domain project = tenant2 user = user1 error = project:Permission Denied >> 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1 useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = tenant2 object_type = project response_time_in_usec = 11438 response_size = 0 resp_code = 520 >> 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1, r=[u'contrail', u'_member_'], o=virtual-networks, op=R, rules=6, proj:dcbe861ff9a5403eb809da2547e7a395(tenant2), dom:None 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation :R, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / :R, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) .* contrail:CRUD, (0,True) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1, r='contrail,_member_' 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:c4891e62-9340-45e7-8294-2b649dcea711) "project" ["default-domain", "tenant1"] admin=no, mode=444 mask=007 perms=700, (usr=dcbe861ff9a5403eb809da2547e7a395(tenant2)/own=c4891e62934045e782942b649dcea711/sh=[]) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1 doesn't have read permission in tenant c4891e62934045e782942b649dcea711 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiConfigLog: api_log = << object_type = virtual_networks url = http://10.204.217.53:9100/virtual-networks?parent_id=c4891e62-9340-45e7-8294-2b649dcea711&detail=true&fields=physical_router_back_refs,floating_ip_pools operation = http_get_collection useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain = default-domain project = tenant2 user = user1 error = virtual-networks:Permission Denied >> 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1 useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = tenant2 object_type = virtual_network response_time_in_usec = 9453 response_size = 0 resp_code = 520 >> 09/19/2016 05:39:14 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = admin useragent = nodeg13:/usr/bin/contrail-snmp-collector remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = admin object_type = physical_router response_time_in_usec = 666 response_size = 24 resp_code = 200 >>	Issue: Project API Access CRUD for role:contrail given to two tenants tenant1 and tenant2 (see below), Permission denied seen on config pages for tenant1(one of the tenants), for tenant2 CRUD(as per the rule created, no error seen) worked fine If I remove 'user1' member from tenant2, then CRUD access for 'tenant1' starts working (as per the rule) normally. Tenant/user details below User : user1 Tenants: user1 tenant1 role:contrail user1 tenant2 role:contrail UI login: user/pass: user1/contrail123 Project API Access ProjectObject.PropertyRoleAccess default-domain:tenant1.contrailCreate, Read, Update, Delete default-domain:tenant2.contrailCreate, Read, Update, Delete contrail-api log: 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1, r=[u'contrail', u'_member_'], o=project, op=R, rules=6, proj:dcbe861ff9a5403eb809da2547e7a395(tenant2), dom:None 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation :R, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / :R, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) .* contrail:CRUD, (0,True) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1, r='contrail,_member_' 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = admin useragent = nodeg13:/usr/bin/contrail-api remote_ip = 127.0.0.1:9100 domain_name = default-domain project_name = admin object_type = project response_time_in_usec = 701 response_size = 188 resp_code = 200 >> 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:c4891e62-9340-45e7-8294-2b649dcea711) "project" ["default-domain", "tenant1"] admin=no, mode=444 mask=007 perms=700, (usr=dcbe861ff9a5403eb809da2547e7a395(tenant2)/own=c4891e62934045e782942b649dcea711/sh=[]) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1 doesn't have read permission in tenant c4891e62934045e782942b649dcea711 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiConfigLog: api_log = << identifier_uuid = c4891e62-9340-45e7-8294-2b649dcea711 object_type = project url = http://10.204.217.53:9100/project/c4891e62-9340-45e7-8294-2b649dcea711?exclude_back_refs=true&exclude_children=true operation = http_get useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain = default-domain project = tenant2 user = user1 error = project:Permission Denied >> 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1 useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = tenant2 object_type = project response_time_in_usec = 11438 response_size = 0 resp_code = 520 >> 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1, r=[u'contrail', u'_member_'], o=virtual-networks, op=R, rules=6, proj:dcbe861ff9a5403eb809da2547e7a395(tenant2), dom:None 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv :CRUD, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation :R, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / :R, (-1,False) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) .* contrail:CRUD, (0,True) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1, r='contrail,_member_' 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:c4891e62-9340-45e7-8294-2b649dcea711) "project" ["default-domain", "tenant1"] admin=no, mode=444 mask=007 perms=700, (usr=dcbe861ff9a5403eb809da2547e7a395(tenant2)/own=c4891e62934045e782942b649dcea711/sh=[]) 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1 doesn't have read permission in tenant c4891e62934045e782942b649dcea711 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiConfigLog: api_log = << object_type = virtual_networks url = http://10.204.217.53:9100/virtual-networks?parent_id=c4891e62-9340-45e7-8294-2b649dcea711&detail=true&fields=physical_router_back_refs,floating_ip_pools operation = http_get_collection useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain = default-domain project = tenant2 user = user1 error = virtual-networks:Permission Denied >> 09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1 useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = tenant2 object_type = virtual_network response_time_in_usec = 9453 response_size = 0 resp_code = 520 >> 09/19/2016 05:39:14 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = admin useragent = nodeg13:/usr/bin/contrail-snmp-collector remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = admin object_type = physical_router response_time_in_usec = 666 response_size = 24 resp_code = 200 >>
2016-09-20 16:49:24	Rahul	juniperopenstack/r3.0: status	New	Fix Committed
2016-09-25 04:17:09	Jeba Paulaiyan	nominated for series		juniperopenstack/r3.1
2016-09-25 04:17:09	Jeba Paulaiyan	bug task added		juniperopenstack/r3.1
2016-09-25 04:17:09	Jeba Paulaiyan	nominated for series		juniperopenstack/trunk
2016-09-25 04:17:09	Jeba Paulaiyan	bug task added		juniperopenstack/trunk
2016-09-25 04:17:16	Jeba Paulaiyan	juniperopenstack/r3.1: importance	Undecided	High
2016-09-25 04:17:18	Jeba Paulaiyan	juniperopenstack/trunk: importance	Undecided	High
2016-09-25 04:17:30	Jeba Paulaiyan	juniperopenstack/r3.1: assignee		Rahul (rahuls)
2016-09-25 04:17:36	Jeba Paulaiyan	juniperopenstack/r3.1: milestone		r3.1.1.0
2016-09-25 04:17:40	Jeba Paulaiyan	juniperopenstack/trunk: milestone		r3.2.0.0-fcs
2016-09-29 13:01:26	Rahul	juniperopenstack/r3.1: assignee	Rahul (rahuls)	Siva Bavanasi (kbsiva)
2016-09-29 13:01:41	Rahul	juniperopenstack/trunk: assignee	Rahul (rahuls)	Siva Bavanasi (kbsiva)
2016-10-14 09:43:14	Siva Bavanasi	juniperopenstack/trunk: status	New	Fix Committed
2016-10-14 09:43:16	Siva Bavanasi	juniperopenstack/r3.1: status	New	Fix Committed