Analytics RBAC doesnt work
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R4.1 |
Fix Committed
|
Critical
|
Suresh Vinapamula | |||
Trunk |
Fix Committed
|
Critical
|
Suresh Vinapamula |
Bug Description
With RBAC enabled an object (virtual-network) access should go thru the RBAC acl check whether a role can access a particular object which doesnt seem to happen with analytics.
1) Created a user msenthil and gave _member_ role to admin tenant
2) Listing of VN UVE lists all the VN objects in the cluster where as the user doesnt have any rights to read any object in the cluster since there were no rbac acl configured.
root@a2s36:~# keystone --os-username msenthil token-get
+------
| Property | Value |
+------
| expires | 2017-10-
| id | fabb27d2ef7942a
| tenant_id | c38c502d342e4e3
| user_id | acfe9d0870264c9
+------
root@a2s36:~# curl -H 'X-Auth-Token: fabb27d2ef7942a
[{"href": "http://
root@a2s36(
aaa_mode = rbac
root@a2s36:~# curl -H 'X-Auth-Token: 8e8c746eb51f46a
{"aaa-mode": "rbac"}
root@a2s36:~# curl -H 'X-Auth-Token: 8e8c746eb51f46a
{"api-access-
root@a2s36:~# curl -s -H 'X-Auth-Token: 8e8c746eb51f46a
{
},
{
},
{
},
{
},
{
}
]
},
"fq_name": [
],
"href": "http://
contrail- analytics- api calls VncApi. resource_ list() with the user_token to get the list of objects for which the user has access to. VncApi. resource_ list() returns all the objects irrespective of whether the token is valid or has rbac acl configured for the role.