[vcenter only 5.0]Attaching contrail-security tag to VM is failing

Bug #1780424 reported by aswani kumar on 2018-07-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R5.0
Fix Released
High
ram yadav
Trunk
Fix Committed
High
ram yadav

Bug Description

Edouard,

On second thought, its not right to derive the VM’s owner from the VMI since the VMI can belong to different project like in case of port borrowed from shared-VN.
Believe the behavior from the config perspective is good and we don’t need any patch.

Just my 2 cents.

- Senthil

On 7/5/18, 4:02 AM, "Sachchidanand Vaidya" <email address hidden> wrote:

    +Ram

    Sent from my iPhone

    > On Jul 4, 2018, at 11:51 PM, Edouard Thuleau <email address hidden> wrote:
    >
    > Hi,
    >
    > Yes, seems to be specific to vcenter case. For neutron, 'perms2.owner'
    > field is set for most of the created resources in the Contrail plugin
    > code and if not API server fill it with the HTTP_X_PROJECT_ID request
    > header if set (if not fall back to 'cloud-admin').
    > I think we have to wrote a method to return the project owner if
    > 'perms2.owner' field is not present to treat each case separately.
    > For example, for VM get project from VMI ref, for IIP get project from
    > VN or VMI ref or for FIP get FIP pool parent then VN parent then project...
    > Or perhaps before treat each cases, check if the parent resource (if it
    > exists) have 'perms2.owner' set, if yes consider it as the resource owner.
    >
    > Édouard.
    >
    >> On 03/07/2018 20:44, Senthilnathan Murugappan wrote:
    >> Hi Edouard,
    >>
    >> Yes that would work too.
    >> But since multi-tenancy is not supported so may be local scope usecase itself doesn’t fit?
    >>
    >> BTW in Openstack environments even if RBAC is not enabled we do populate the perms2 with correct ownership information so this issue is specific to vCenter.
    >>
    >> Thanks,
    >> Senthil
    >>
    >>
    >> On 7/3/18, 2:04 AM, "Edouard Thuleau" <email address hidden> wrote:
    >>
    >> Hi Senthil,
    >>
    >> The problem is specific to VM resource as it does not have parent and if
    >> the RBAC is not enable, we could not determine the domain/project it
    >> belongs to. In first contrail model (before 1.10, if I remember
    >> correctly) it was the owner of the VMI but now it only have refs to its
    >> VMIs and that VMIs are owned by the project. And in Contrail model, a VM
    >> should not exists if it does not have at least one ref to a VMI.
    >>
    >> So for that specific case (VM and RBAC not enabled), we could try to
    >> determine the owner with the VMI ref, what do you think?
    >>
    >> Édouard.
    >>
    >>> On 02/07/2018 22:31, Senthilnathan Murugappan wrote:
    >>> Correcting edouard’s email id.
    >>>
    >>> *From: *Senthilnathan Murugappan <email address hidden>
    >>> *Date: *Monday, July 2, 2018 at 1:29 PM
    >>> *To: *Aswani Kumar Gaddam <email address hidden>, Édouard Thuleau
    >>> <email address hidden>
    >>> *Cc: *Sandip Dey <email address hidden>, Sudheendra Rao
    >>> <email address hidden>, Sachchidanand Vaidya <email address hidden>
    >>> *Subject: *Re: Contrail-security regression on vcenter setup
    >>>
    >>> + Edouard, Sachin
    >>>
    >>> Sachin, Edouard,
    >>>
    >>> In vCenter, perms2 ownership of the object (virtual-machine in this
    >>> case) is set to ‘cloud-admin’ unlike openstack where in it would be the
    >>> project it belongs to.
    >>>
    >>> We may either need to set the perms2 ownership to ‘vCenter’ projects
    >>> uuid or say we support global scope alone in vCenter environment since
    >>> it doesn’t support multi-tenancy.
    >>>
    >>> FYI:
    >>>
    >>> http://10.204.217.139:8082/virtual-machine/50245937-e4c4-0f2c-e920-39c031921d8a
    >>>
    >>> Thanks,
    >>>
    >>> Senthil
    >>>
    >>> *From: *Aswani Kumar Gaddam <email address hidden>
    >>> *Date: *Sunday, July 1, 2018 at 7:55 AM
    >>> *To: *Senthilnathan Murugappan <email address hidden>
    >>> *Cc: *Sandip Dey <email address hidden>, Sudheendra Rao
    >>> <email address hidden>
    >>> *Subject: *Contrail-security regression on vcenter setup
    >>>
    >>> Hi Senthil,
    >>>
    >>> I am running contrail-security regression on 5.0 vcenter setup
    >>>
    >>> All local scope testcases failing while adding tag to virtual_machine
    >>>
    >>> I debugged and found its not able to determine the scope of the tag
    >>>
    >>> Can you please help me to debug this
    >>>
    >>> I tried to attach the same tag to virtual-network and its working
    >>>
    >>> vh=VncApi(username='admin',password='contrail123',tenant_name='vCenter',api_server_host='10.204.217.139',api_server_port='8082')
    >>>
    >>> vh.tag_read(id='d583133a-2c9b-488d-8918-b29df1119e09')
    >>>
    >>> <vnc_api.gen.resource_client.Tag object at 0x7f20c3399f90>
    >>>
    >>>>>> ta=vh.tag_read(id='d583133a-2c9b-488d-8918-b29df1119e09')
    >>>
    >>> Tried to set to virtual-network
    >>>
    >>> vn=vh.virtual_network_read(id='0efb01bd-75e7-37a6-b076-7a53a2b8fbfe')
    >>>
    >>>>>> tag.tag_value
    >>>
    >>> u'web'
    >>>
    >>>>>> tag.tag_type_name
    >>>
    >>> u'tier'
    >>>
    >>>>>> vh.set_tag(vn,tag.tag_type_name,tag.tag_value)
    >>>
    >>> {}
    >>>
    >>> * *tag_refs*:
    >>>
    >>> [
    >>>
    >>> o {
    >>> + *to*:
    >>>
    >>> [
    >>>
    >>> # "default-domain",
    >>> # "vCenter",
    >>> # "application=eng"
    >>>
    >>> ],
    >>>
    >>> + *href*: "http://10.204.217.139:8082/tag/6421c191-ed8b-45f3-9040-846e2fb6f5a0",
    >>> + *attr*: null,
    >>> + *uuid*: "6421c191-ed8b-45f3-9040-846e2fb6f5a0"
    >>>
    >>> },
    >>>
    >>> o {
    >>> + *to*:
    >>>
    >>> [
    >>>
    >>> # "default-domain",
    >>> # "vCenter",
    >>> # "tier=web"
    >>>
    >>> ],
    >>>
    >>> + *href*: "http://10.204.217.139:8082/tag/41f96337-ea7e-467f-815b-5b31db4d9404",
    >>> + *attr*: null,
    >>> + *uuid*: "41f96337-ea7e-467f-815b-5b31db4d9404"
    >>>
    >>> }
    >>>
    >>> ],
    >>>
    >>> Tried same tag on virtual-machine and its failing
    >>>
    >>> temp.uuid
    >>>
    >>> u'50244014-21f3-74bf-9b5d-bd03c7c9551b'
    >>>
    >>>>>> vh.set_tag(temp,tag.tag_type_name,tag.tag_value)
    >>>
    >>> Traceback (most recent call last):
    >>>
    >>> File "<stdin>", line 1, in <module>
    >>>
    >>> File "/usr/lib/python2.7/site-packages/vnc_api/vnc_api.py", line 1602,
    >>> in set_tag
    >>>
    >>> return self.set_tags(obj, tags_dict)
    >>>
    >>> File "/usr/lib/python2.7/site-packages/vnc_api/vnc_api.py", line 1585,
    >>> in set_tags
    >>>
    >>> content = self._request_server(OP_POST, url, json.dumps(data))
    >>>
    >>> File "/usr/lib/python2.7/site-packages/vnc_api/vnc_api.py", line 943, in
    >>> _request_server
    >>>
    >>> retry_after_authn=retry_after_authn, retry_count=retry_count)
    >>>
    >>> File "/usr/lib/python2.7/site-packages/vnc_api/vnc_api.py", line 1027,
    >>> in _request
    >>>
    >>> % (op, url, data, content))
    >>>
    >>> vnc_api.exceptions.NoIdError: Unknown id: Error: oper 1 url /set-tag
    >>> body {"tier": {"is_global": false, "value": "web"}, "obj_type":
    >>> "virtual_machine", "obj_uuid": "50244014-21f3-74bf-9b5d-bd03c7c9551b"}
    >>> response Not able to determine the scope of the tag 'tier=web'
    >>>
    >>> Testbed
    >>>
    >>> Nodei127(10.204.217.139) -cfgm0
    >>>
    >>> Thanks,
    >>>
    >>> Aswani Kumar
    >>>

tags: added: beta-blocker vcenter-only
ram yadav (ryadav) wrote :

Edouard,
I’m not very clear on the discussion here but let me summarize my understating:
1. perm2.owner field is set in the API server when RBAC is enabled. And API server uses keystone credentials for the same.I’m hoping HTTP_X_PROJECT_ID request is used with reference to keystone request.
2. Since keystone equivalent is not supported in vCenter we don’t have RBAC support for vCenter ( same I hope for kubernetes, but will let someone from kubernetes team confirm it.)
3. Since perms2.owner is not set via vCenter plugin, it defaults to ‘cloud-admin’ since RBAC is not enabled and hence API server cannot use keystone to get the perm2.owner.

Given above understanding are you asking vCenter plugin to set the perm2.owner field for VM’s created? Is it possible to set it internally in the API server, instead of each plugin setting it?

Thanks,
Ram

tags: removed: beta-blocker
ram yadav (ryadav) wrote :

We will modify the CVM code to do the following:
1. We will add the perms2.owner to tenant id ( project vcenter uuid).
2. This should take care of propagating the tag association from project/local scope.

Thanks,
Ram

ram yadav (ryadav) wrote :

We will add the perms2.owner for VM to tenant id ( which is project vcenter uuid).

Review in progress for https://review.opencontrail.org/44543
Submitter: Adrian Szczepanski (<email address hidden>)

Review in progress for https://review.opencontrail.org/44542
Submitter: Adrian Szczepanski (<email address hidden>)

Reviewed: https://review.opencontrail.org/44542
Committed: http://github.com/Juniper/contrail-vcenter-manager/commit/6e43f2072dfa333d317a8c498d8d15d9468aed82
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit 6e43f2072dfa333d317a8c498d8d15d9468aed82
Author: Adrian Szczepański <email address hidden>
Date: Thu Jul 12 09:50:29 2018 +0200

Add perms2.owner to VM

Set VMs owner to project uuid

Change-Id: Ide9cf20ff1cdd5120f21033e89566d54dc3942ab
Closes-Bug: #1781342
Closes-Bug: #1780424

OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/44543
Committed: http://github.com/Juniper/contrail-vcenter-manager/commit/3a35eff4678781057deca31d7a7dd96de6763b74
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit 3a35eff4678781057deca31d7a7dd96de6763b74
Author: Adrian Szczepański <email address hidden>
Date: Thu Jul 12 09:50:29 2018 +0200

Add perms2.owner to VM

Set VMs owner to project uuid

Change-Id: Ide9cf20ff1cdd5120f21033e89566d54dc3942ab
Closes-Bug: #1781342
Closes-Bug: #1780424

tags: added: contrail-security
tags: added: beta-blocker

Review in progress for https://review.opencontrail.org/45503
Submitter: ryadav (<email address hidden>)

Review in progress for https://review.opencontrail.org/45504
Submitter: ryadav (<email address hidden>)

Reviewed: https://review.opencontrail.org/45503
Committed: http://github.com/Juniper/contrail-vcenter-plugin/commit/9ebcc1448e4f1d27cded7cc70cffa334c8c20464
Submitter: Zuul v3 CI (<email address hidden>)
Branch: master

commit 9ebcc1448e4f1d27cded7cc70cffa334c8c20464
Author: ram-yadav <email address hidden>
Date: Sat Aug 11 07:55:40 2018 +0000

Set perms2 to VM with perm2 owner set to project

Since VM doesn't have parent we set the VM perm2 owner to project.
This will make TAGS for contrail security work at project scope.

Change-Id: Ia5c251de8097ca4c43d7a0a19f21582101e4386f
Closes-Bug: #1780424

Reviewed: https://review.opencontrail.org/45504
Committed: http://github.com/Juniper/contrail-vcenter-plugin/commit/74c0efcfaf7265c6bd00346481a79b0cf123627e
Submitter: Zuul v3 CI (<email address hidden>)
Branch: R5.0

commit 74c0efcfaf7265c6bd00346481a79b0cf123627e
Author: ram-yadav <email address hidden>
Date: Sat Aug 11 07:55:40 2018 +0000

Set perms2 to VM with perm2 owner set to project

Since VM doesn't have parent we set the VM perm2 owner to project.
This will make TAGS for contrail security work at project scope.

Change-Id: Ia5c251de8097ca4c43d7a0a19f21582101e4386f
Closes-Bug: #1780424

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers