shared floating-ip-pool in Tenant-A invisible in Tenant-B

Bug #1767516 reported by Jiang Lu on 2018-04-27
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Won't Fix
High
Unassigned
R3.2
New
High
Sarin Kizhakkepurayil
R4.0
New
High
Sarin Kizhakkepurayil
R4.1
New
High
Sarin Kizhakkepurayil
R5.0
Won't Fix
High
Unassigned
Trunk
Won't Fix
High
Unassigned

Bug Description

Not able to see floating IP pool under shared tenant on contrail dashboard.

Steps to reproduce:
Tenants used :
Tenant_A
Tenant_B
1.Login to Contrail UI with admin role credentials in Tenant_A
2.Create a VN and mark VN as external and add Floating IP Pool by navigating to configure->networking->Floating IP pools
3. Go to configure->networking->floating IP pool->default domain->tenant A and search for floating Ip pool created and update the expand share option and provide Tenant_B details under share section and provide read ,write, refer access.
4.Log off and Login to Contrail UI with admin / non admin role credentials in Tenant_B
5.Go to Configure > Networking > Floating Ips > Default-domain > { Tenant_B }

Actual Result :Not able to see floating IP pool in tenant B which was created in tenant A and was shared with tenant B.---not even with admin role, Not able to create floating ip in tenant B as well

though floating IP pool is visible on horizon dashboard for tenant B only when logged in with admin role.

Expected Result:
For Admin role in tenant B:User should be able to see Floating IP pool under Tenant_B which user created under Tenant_A, and should be able to create Floating IP successfully.
For non admin role in tenant B:User should be able to see Floating IP pool under Tenant_B which user created under Tenant_A, but it should not be able to create Floating IP successfully.

Jiang Lu (lujiang) on 2018-04-27
tags: added: 2018-0417-0845 att-aic-contrail jtac
Jiang Lu (lujiang) wrote :
Download full text (12.5 KiB)

Problem could be seen on JTAC local testbed AIO50:

GUI access:
https://10.85.188.50:8143/
admin/Juniper

terminal access:
ssh root@10.85.188.50
Juniper

Tenant-A:
VN-A (global_access 7 and add Tenant-B in Permissons->Share List)
Floating-VA-A (global_access 7 and add Tenant-B in Permissons->Share List)

Tenant-B:
VN-A is visible in GUI
Floating-VA-A is invisible in GUI

<<<Actually floating-ip-pool Floating-VA-A is good in the Tenant-B curl output.
<<<So the GUI invisible issue should have other reasons behind

VN-A and Floating-VA-A in vnc-config
===========
root@aio50:~# curl -u admin:Juniper http://localhost:8095/virtual-networks | python -mjson.tool | egrep -C4 VN-A
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 2135 100 2135 0 0 233k 0 --:--:-- --:--:-- --:--:-- 260k
        {
            "fq_name": [
                "default-domain",
                "Tenant-A",
                "VN-A"
            ],
            "href": "http://localhost:8095/virtual-network/b59a34f3-e39e-4d18-9d27-b9fd9243c30f",
            "uuid": "b59a34f3-e39e-4d18-9d27-b9fd9243c30f"
        },

root@aio50:~# curl -u admin:Juniper http://localhost:8095/floating-ip-pools | python -mjson.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 228 100 228 0 0 70522 0 --:--:-- --:--:-- --:--:-- 76000
{
    "floating-ip-pools": [
        {
            "fq_name": [
                "default-domain",
                "Tenant-A",
                "VN-A",
                "Floating-VA-A"
            ],
            "href": "http://localhost:8095/floating-ip-pool/33e3fe1b-1d71-4a09-9ab4-79df9d96a74c",
            "uuid": "33e3fe1b-1d71-4a09-9ab4-79df9d96a74c"
        }
    ]
}
root@aio50:~# curl -u admin:Juniper http://localhost:8095/floating-ip-pool/33e3fe1b-1d71-4a09-9ab4-79df9d96a74c | python -mjson.tool
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
100 1222 100 1222 0 0 99495 0 --:--:-- --:--:-- --:--:-- 99k
{
    "floating-ip-pool": {
        "display_name": "Floating-VA-A",
        "fq_name": [
            "default-domain",
            "Tenant-A",
            "VN-A",
            "Floating-VA-A"
        ],
        "href": "http://localhost:8095/floating-ip-pool/33e3fe1b-1d71-4a09-9ab4-79df9d96a74c",
        "id_perms": {
            "created": "2018-04-27T19:48:22.201396",
            "creator": null,
            "description": null,
            "enable": true,
            "last_modified": "2018-04-27T20:55:39.725084",
            "permissions": {
                "group": "_member_",
                "group_access": 7,
                "other_access": 7,
                "owner": "user-a",
                "owner_access": 7
            },
            "user_visible": true,
            "uuid": {
                "uuid_lslong": 11147668978977384268,
                "uuid_mslong": 373911150805917952...

Changed in juniperopenstack:
importance: Undecided → High
Jiang Lu (lujiang) wrote :
Download full text (5.7 KiB)

Contrail version is 3.2.9
aio50 not enabled RBAC yet. But another aio71 with RBAC enabled also see this same issue.

root@aio50:/opt/contrail/utils# python rbacutil.py --name default-domain --server 127.0.0.1:9100
AAA mode is cloud-admin

Oper = None
Name = ['default-domain']
UUID = None
API Server = 127.0.0.1:9100

root@aio50:/opt/contrail/utils# python chmod2.py --uuid 33e3fe1b-1d71-4a09-9ab4-79df9d96a74c --server 127.0.0.1:9100
API Server = 127.0.0.1:9100
Keystone credentials admin/Juniper/admin
Type = floating-ip-pool
Name = default-domain:Tenant-A:VN-A:Floating-VA-A
Cur perms a7d39c3b7cb14e0c94bf5f2c572788fd/7 7 [u'df6331e4-9bcb-450c-b1d5-03e9c02c0702:7']

root@aio50:/opt/contrail/utils# contrail-version
Package Version Build-ID | Repo | Package Name
-------------------------------------- ------------------------------ ----------------------------------
contrail-analytics 3.2.9.0-69 69
contrail-config 3.2.9.0-69 69
contrail-config-openstack 3.2.9.0-69 69
contrail-control 3.2.9.0-69 69
contrail-database-common 3.2.9.0-69 69
contrail-dns 3.2.9.0-69 69
contrail-docs 3.2.9.0-69 69
contrail-f5 3.2.9.0-69 69
contrail-fabric-utils 3.2.9.0-69 69
contrail-heat 3.2.9.0-69 69
contrail-install-packages 3.2.9.0-69~kilo 69
contrail-lib 3.2.9.0-69 69
contrail-nodemgr 3.2.9.0-69 69
contrail-nova-networkapi 3.2.9.0-69 69
contrail-nova-vif 3.2.9.0-69 69
contrail-openstack 3.2.9.0-69 69
contrail-openstack-analytics 3.2.9.0-69 69
contrail-openstack-config 3.2.9.0-69 69
contrail-openstack-control 3.2.9.0-69 69
contrail-openstack-dashboard 3.2.9.0-69 69
contrail-openstack-database 3.2.9.0-69 69
contrail-openstack-vrouter 3.2.9.0-69 69
contrail-openstack-webui 3.2.9.0-69 69
contrail-setup ...

Read more...

Sachin Bansal (sbansal) on 2018-04-30
Changed in juniperopenstack:
assignee: nobody → Suresh Akula (surakula)
Jim Reilly (jpreilly) on 2018-04-30
information type: Proprietary → Private
information type: Private → Public
Jiang Lu (lujiang) wrote :

We have 2 related JTAC cases:

2018-0417-0845: floating IP allocating issue. Closed as floating IP allocation is good now.
2018-0411-0626: floating ip pool being shared but invisible in 2nd tenant.

Jiang Lu (lujiang) on 2018-05-30
tags: added: 2018-0411-0626
removed: 2018-0417-0845
Jiang Lu (lujiang) wrote :

2018-0411-0626: floating ip pool being shared but invisible in 2nd tenant

This is expected and actually not supported currently and in future as well per Contrail BU.

>>>This is not supported in UI for any object, not only floating ip pool.
>>>Yes, we do not plan to support it in the future as well.

Jeba Paulaiyan (jebap) on 2018-08-21
Changed in juniperopenstack:
status: New → Won't Fix
Manoj (manojgn) on 2018-08-31
Changed in juniperopenstack:
assignee: Manoj (manojgn) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers