R3.1 Build 2: Cloud admin access to analytics-api broken due to issue with the obj-perms
Bug #1604773 reported by
Ankit Jain
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R3.0 |
Fix Committed
|
Critical
|
Deepinder Setia | |||
R3.1 |
Fix Committed
|
Critical
|
Deepinder Setia | |||
Trunk |
Fix Committed
|
Critical
|
Deepinder Setia |
Bug Description
1) Seeing Internal Server Error while trying to access analytics-api with the user having cloud admin access
2) UI Monitoring pages are also broken due to the same issue when multi tenancy is enabled in contrail-
Steps:
1) Enable multi_tenancy = True in contrail-
2) Restart the process
3) Check the UI
OR
Execute the following command with the user having cloud admin access:
curl -s -H "X-Auth-Token: $(keystone token-get | awk '/ id / {print $4}')" nodeg13:
Observation : 1) All analytics nodes shown as down in the UI
2) Monitoring pages broken
3) Contrail-
summary: |
- R3.1 Build 2: UI monitoring pages broken after enabling multi tenancy - in contrail-analytics-api.conf + R3.1 Build 2: Cloud admin access to analytics-api broken due to issue + with the obj-perms |
description: | updated |
tags: | removed: ui |
tags: | added: blocker |
To post a comment you must log in.
Sent http:// 10.204. 217.53: 8081/analytics/ uves/control- nodes 789a5509f52fdca 81
With
X-Auth-Token: d7f9656966bd426
X_API_ROLE: admin
With same token and role, API Server(http:// 10.204. 217.53: 8082/virtual- networks) sends correct response, but analytics throws error,
> /usr/lib/ python2. 7/dist- packages/ opserver/ opserver. py(409) _impl() request. headers. get('X- Auth-Token' ) auth_conf_ info.get( 'cloud_ admin_access_ only') and \ request. headers. get('X- Auth-Token' ) api_client. is_role_ cloud_admin( user_token) : HTTPResponse( status = 401, auth_headers( )) request. headers. __dict_ _ uves/control- nodes', 'SERVER_PROTOCOL': 'HTTP/1.1', 'QUERY_STRING': '', 'bottle.app': <bottle.Bottle object at 0x7f270aa57690>, 'REMOTE_ADDR': '172.29.235.139', 'HTTP_X_ AUTH_TOKEN' : 'd7f9656966bd42 6789a5509f52fdc a81', 'HTTP_USER_AGENT': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ 51.0.2704. 103 Safari/537.36', 'HTTP_CONNECTION': 'keep-alive', 'SERVER_NAME': 'localhost', 'REMOTE_PORT': '51182', 'wsgi.url_scheme': 'http', 'bottle.request': <LocalRequest: GET http:// 10.204. 217.53: 8081/analytics/ uves/control- nodes>, 'SERVER_PORT': '8081', 'bottle. request. headers' : <bottle. WSGIHeaderDict object at 0x7f26ff65a990>, 'route.handle': <GET '/analytics/ uves/<tables> ' <function dyn_list_http_get at 0x7f270524be60>>, 'bottle. request. urlparts' : SplitResult( scheme= 'http', netloc= '10.204. 217.53: 8081', path='/ analytics/ uves/control- nodes', query='', fragment=''), 'route.url_args': {'tables': 'control-nodes'}, 'wsgi.input': <gevent. pywsgi. Input object at 0x7f26ff6f4110>, 'HTTP_HOST': '10.204. 217.53: 8081', 'wsgi.multithread': False, 'HTTP_CACHE_ CONTROL' : 'no-cache', 'HTTP_ACCEPT': '*/*', 'bottle.raw_path': '/analytics/ uves/control- nodes', 'wsgi.version': (1, 0), 'bottle.route': <GET '/analytics/ uves/<tables> ' <function dyn_list_http_get at 0x7f270524be60>>, 'GATEWAY_ INTERFACE' : 'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <open file '<stderr>', mode 'w' at 0x7f270e4281e0>, 'wsgi.multiproc ess': False, 'HTTP_ACCEPT_ LANGUAGE' : 'en-US,en;q=0.8', 'HTTP_X_API_ROLE': 'admin', 'HTTP_ACCEPT_ ENCODING' : 'gzip, deflate, sdch'}} python2. 7/dist- packages/ opserver/ opserver. py(410) _impl() 6789a5509f52fdc a81' python2. 7/dist- packages/ opserver/ opserver. py(411) _impl() api_client. is_role_ cloud_admin( user_token) : 6789a5509f. ..
-> user_token = bottle.
(Pdb)
(Pdb)
(Pdb)
(Pdb)
(Pdb) list
404 @wraps(func)
405 def _impl(self, *f_args, **f_kwargs):
406 if self._args.
407 bottle.request.app == bottle.app():
408 import pdb; pdb.set_trace()
409 -> user_token = bottle.
410 if not user_token or not \
411 self._vnc_
412 raise bottle.
413 body = 'Authentication required',
414 headers = self._reject_
(Pdb) p bottle.
{'environ': {'SERVER_SOFTWARE': 'gevent/1.0 Python/2.7', 'SCRIPT_NAME': '', 'REQUEST_METHOD': 'GET', 'PATH_INFO': '/analytics/
(Pdb) n
> /usr/lib/
-> if not user_token or not \
(Pdb) p user_token
'd7f9656966bd42
(Pdb) n
> /usr/lib/
-> self._vnc_
(Pdb) p user_token
'd7f9656966bd42