2016-09-19 18:36:58 |
Ankit Jain |
description |
User : user1
Tenants:
user1 tenant1 role:contrail
user1 tenant2 role:contrail
UI login:
user/pass: user1/contrail123
Project API Access
ProjectObject.PropertyRoleAccess
default-domain:tenant1*.*contrailCreate, Read, Update, Delete
default-domain:tenant2*.*contrailCreate, Read, Update, Delete
Issue: Permission denied for tenant1 on config pages, for tenant2 it works fine
If I remove 'user1' member from tenant2, then it start working normally.
contrail-api log:
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1, r=[u'contrail', u'_member_'], o=project, op=R, rules=6, proj:dcbe861ff9a5403eb809da2547e7a395(tenant2), dom:None
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* contrail:CRUD, (0,True)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1, r='contrail,_member_'
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = admin useragent = nodeg13:/usr/bin/contrail-api remote_ip = 127.0.0.1:9100 domain_name = default-domain project_name = admin object_type = project response_time_in_usec = 701 response_size = 188 resp_code = 200 >>
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:c4891e62-9340-45e7-8294-2b649dcea711) "project" ["default-domain", "tenant1"] admin=no, mode=444 mask=007 perms=700, (usr=dcbe861ff9a5403eb809da2547e7a395(tenant2)/own=c4891e62934045e782942b649dcea711/sh=[])
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1 doesn't have read permission in tenant c4891e62934045e782942b649dcea711
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiConfigLog: api_log = << identifier_uuid = c4891e62-9340-45e7-8294-2b649dcea711 object_type = project url = http://10.204.217.53:9100/project/c4891e62-9340-45e7-8294-2b649dcea711?exclude_back_refs=true&exclude_children=true operation = http_get useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain = default-domain project = tenant2 user = user1 error = project:Permission Denied >>
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1 useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = tenant2 object_type = project response_time_in_usec = 11438 response_size = 0 resp_code = 520 >>
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1, r=[u'contrail', u'_member_'], o=virtual-networks, op=R, rules=6, proj:dcbe861ff9a5403eb809da2547e7a395(tenant2), dom:None
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* contrail:CRUD, (0,True)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1, r='contrail,_member_'
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:c4891e62-9340-45e7-8294-2b649dcea711) "project" ["default-domain", "tenant1"] admin=no, mode=444 mask=007 perms=700, (usr=dcbe861ff9a5403eb809da2547e7a395(tenant2)/own=c4891e62934045e782942b649dcea711/sh=[])
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1 doesn't have read permission in tenant c4891e62934045e782942b649dcea711
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiConfigLog: api_log = << object_type = virtual_networks url = http://10.204.217.53:9100/virtual-networks?parent_id=c4891e62-9340-45e7-8294-2b649dcea711&detail=true&fields=physical_router_back_refs,floating_ip_pools operation = http_get_collection useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain = default-domain project = tenant2 user = user1 error = virtual-networks:Permission Denied >>
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1 useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = tenant2 object_type = virtual_network response_time_in_usec = 9453 response_size = 0 resp_code = 520 >>
09/19/2016 05:39:14 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = admin useragent = nodeg13:/usr/bin/contrail-snmp-collector remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = admin object_type = physical_router response_time_in_usec = 666 response_size = 24 resp_code = 200 >> |
Issue: Project API Access CRUD for role:contrail given to two tenants tenant1 and tenant2 (see below), Permission denied seen on config pages for tenant1(one of the tenants), for tenant2 CRUD(as per the rule created, no error seen) worked fine
If I remove 'user1' member from tenant2, then CRUD access for 'tenant1' starts working (as per the rule) normally.
Tenant/user details below
User : user1
Tenants:
user1 tenant1 role:contrail
user1 tenant2 role:contrail
UI login:
user/pass: user1/contrail123
Project API Access
ProjectObject.PropertyRoleAccess
default-domain:tenant1*.*contrailCreate, Read, Update, Delete
default-domain:tenant2*.*contrailCreate, Read, Update, Delete
contrail-api log:
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1, r=[u'contrail', u'_member_'], o=project, op=R, rules=6, proj:dcbe861ff9a5403eb809da2547e7a395(tenant2), dom:None
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* contrail:CRUD, (0,True)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1, r='contrail,_member_'
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = admin useragent = nodeg13:/usr/bin/contrail-api remote_ip = 127.0.0.1:9100 domain_name = default-domain project_name = admin object_type = project response_time_in_usec = 701 response_size = 188 resp_code = 200 >>
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:c4891e62-9340-45e7-8294-2b649dcea711) "project" ["default-domain", "tenant1"] admin=no, mode=444 mask=007 perms=700, (usr=dcbe861ff9a5403eb809da2547e7a395(tenant2)/own=c4891e62934045e782942b649dcea711/sh=[])
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1 doesn't have read permission in tenant c4891e62934045e782942b649dcea711
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiConfigLog: api_log = << identifier_uuid = c4891e62-9340-45e7-8294-2b649dcea711 object_type = project url = http://10.204.217.53:9100/project/c4891e62-9340-45e7-8294-2b649dcea711?exclude_back_refs=true&exclude_children=true operation = http_get useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain = default-domain project = tenant2 user = user1 error = project:Permission Denied >>
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1 useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = tenant2 object_type = project response_time_in_usec = 11438 response_size = 0 resp_code = 520 >>
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: u=user1, r=[u'contrail', u'_member_'], o=virtual-networks, op=R, rules=6, proj:dcbe861ff9a5403eb809da2547e7a395(tenant2), dom:None
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 1) fqname-to-id *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 2) id-to-fqname *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 3) useragent-kv *:CRUD, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 4) documentation *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 5) / *:R, (-1,False)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: Rule 6) *.* contrail:CRUD, (0,True)
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: +++ admin=no, u=user1, r='contrail,_member_'
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_DEBUG]: VncApiError: rbac: --- (R:c4891e62-9340-45e7-8294-2b649dcea711) "project" ["default-domain", "tenant1"] admin=no, mode=444 mask=007 perms=700, (usr=dcbe861ff9a5403eb809da2547e7a395(tenant2)/own=c4891e62934045e782942b649dcea711/sh=[])
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_NOTICE]: VncApiError: rbac: user1 doesn't have read permission in tenant c4891e62934045e782942b649dcea711
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiConfigLog: api_log = << object_type = virtual_networks url = http://10.204.217.53:9100/virtual-networks?parent_id=c4891e62-9340-45e7-8294-2b649dcea711&detail=true&fields=physical_router_back_refs,floating_ip_pools operation = http_get_collection useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain = default-domain project = tenant2 user = user1 error = virtual-networks:Permission Denied >>
09/19/2016 05:38:46 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = user1 useragent = Restler for node.js remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = tenant2 object_type = virtual_network response_time_in_usec = 9453 response_size = 0 resp_code = 520 >>
09/19/2016 05:39:14 PM [contrail-api]: __default__ [SYS_INFO]: VncApiStatsLog: api_stats = << operation_type = GET user = admin useragent = nodeg13:/usr/bin/contrail-snmp-collector remote_ip = 10.204.217.53:9100 domain_name = default-domain project_name = admin object_type = physical_router response_time_in_usec = 666 response_size = 24 resp_code = 200 >> |
|