Juniper Openstack

Analytics RBAC doesnt work

  1. Series r4.1
  2. Bug #1728324
Bug #1728324 reported by Senthilnathan Murugappan
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.1
Fix Committed
Critical
Suresh Vinapamula
Juniper Openstack r4.1.0.0-fcs "r4.1"
Trunk
Fix Committed
Critical
Suresh Vinapamula
Juniper Openstack r5.0.0

Bug Description

With RBAC enabled an object (virtual-network) access should go thru the RBAC acl check whether a role can access a particular object which doesnt seem to happen with analytics.

1) Created a user msenthil and gave _member_ role to admin tenant
2) Listing of VN UVE lists all the VN objects in the cluster where as the user doesnt have any rights to read any object in the cluster since there were no rbac acl configured.

root@a2s36:~# keystone --os-username msenthil token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2017-10-29T01:31:00Z |
| id | fabb27d2ef7942a4a8ef005b393f9425 |
| tenant_id | c38c502d342e4e3d8a820dc05550ac76 |
| user_id | acfe9d0870264c93a0ca669469f0e33c |
+-----------+----------------------------------+
root@a2s36:~# curl -H 'X-Auth-Token: fabb27d2ef7942a4a8ef005b393f9425' http://127.0.0.1:8081/analytics/uves/virtual-networks
[{"href": "http://127.0.0.1:8081/analytics/uves/virtual-network/default-domain:default-project:ip-fabric?flat", "name": "default-domain:default-project:ip-fabric"}, {"href": "http://127.0.0.1:8081/analytics/uves/virtual-network/default-domain:default-project:__link_local__?flat", "name": "default-domain:default-project:__link_local__"}, {"href": "http://127.0.0.1:8081/analytics/uves/virtual-network/default-domain:default-project:default-virtual-network?flat", "name": "default-domain:default-project:default-virtual-network"}, {"href": "http://127.0.0.1:8081/analytics/uves/virtual-network/default-domain:ctest-TestRbac2-78562091:ctest-TestRbac2-78562091-38457347?flat", "name": "default-domain:ctest-TestRbac2-78562091:ctest-TestRbac2-78562091-38457347"}, {"href": "http://127.0.0.1:8081/analytics/uves/virtual-network/default-domain:admin:right?flat", "name": "default-domain:admin:right"}, {"href": "http://127.0.0.1:8081/analytics/uves/virtual-network/default-domain:admin:ms-HR-1?flat", "name": "default-domain:admin:ms-HR-1"}, {"href": "http://127.0.0.1:8081/analytics/uves/virtual-network/default-domain:admin:left?flat", "name": "default-domain:admin:left"}]root@a2s36:~#

root@a2s36(analytics):/# cat /etc/contrail/contrail-analytics-api.conf | grep aaa_mode
aaa_mode = rbac

root@a2s36:~# curl -H 'X-Auth-Token: 8e8c746eb51f46a0b6e12550e66468a3' http://127.0.0.1:8082/aaa-mode
{"aaa-mode": "rbac"}

root@a2s36:~# curl -H 'X-Auth-Token: 8e8c746eb51f46a0b6e12550e66468a3' http://127.0.0.1:8082/api-access-lists
{"api-access-lists": [{"href": "http://127.0.0.1:8082/api-access-list/7aaa473c-9ace-4b56-af7e-1b25e7a0cbb7", "fq_name": ["default-global-system-config", "default-api-access-list"], "uuid": "7aaa473c-9ace-4b56-af7e-1b25e7a0cbb7"}]}

root@a2s36:~# curl -s -H 'X-Auth-Token: 8e8c746eb51f46a0b6e12550e66468a3' http://127.0.0.1:8082/api-access-list/7aaa473c-9ace-4b56-af7e-1b25e7a0cbb7 | python -mjson.tool | grep -A60 rbac_rule
            "rbac_rule": [
                {
                    "rule_field": "",
                    "rule_object": "fqname-to-id",
                    "rule_perms": [
                        {
                            "role_crud": "CRUD",
                            "role_name": "*"
                        }
                    ]
                },
                {
                    "rule_field": "",
                    "rule_object": "id-to-fqname",
                    "rule_perms": [
                        {
                            "role_crud": "CRUD",
                            "role_name": "*"
                        }
                    ]
                },
                {
                    "rule_field": "",
                    "rule_object": "useragent-kv",
                    "rule_perms": [
                        {
                            "role_crud": "CRUD",
                            "role_name": "*"
                        }
                    ]
                },
                {
                    "rule_field": "",
                    "rule_object": "documentation",
                    "rule_perms": [
                        {
                            "role_crud": "R",
                            "role_name": "*"
                        }
                    ]
                },
                {
                    "rule_field": "",
                    "rule_object": "/",
                    "rule_perms": [
                        {
                            "role_crud": "R",
                            "role_name": "*"
                        }
                    ]
                }
            ]
        },
        "fq_name": [
            "default-global-system-config",
            "default-api-access-list"
        ],
        "href": "http://127.0.0.1:8082/api-access-list/7aaa473c-9ace-4b56-af7e-1b25e7a0cbb7",

Revision history for this message
Sundaresan Rajangam (srajanga) wrote :

contrail-analytics-api calls VncApi.resource_list() with the user_token to get the list of objects for which the user has access to. VncApi.resource_list() returns all the objects irrespective of whether the token is valid or has rbac acl configured for the role.

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/37080
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/37111
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/37080
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/37111
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/37080
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/37111
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/37111
Committed: http://github.com/Juniper/contrail-controller/commit/bb255711dd6e955fde3a07f3d60122f0072be1cc
Submitter: Zuul (<email address hidden>)
Branch: master

commit bb255711dd6e955fde3a07f3d60122f0072be1cc
Author: Suresh Venkata <email address hidden>
Date: Wed Nov 1 18:39:24 2017 -0700

user token should be the x auth token

Description: user token if passed, should be used for authentication.
This will force request to be subjected to rbac api rules also,
and also object level permissions.

Change-Id: I89d339f1da289a383591eb5f162c3549bc001a98
Closes-Bug: #1728324

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/37080
Committed: http://github.com/Juniper/contrail-controller/commit/ad8c9ee382585ea92fc1b3d327af3d54742a3727
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit ad8c9ee382585ea92fc1b3d327af3d54742a3727
Author: Suresh Venkata <email address hidden>
Date: Wed Nov 1 18:39:24 2017 -0700

user token should be the x auth token

Description: user token if passed, should be used for authentication.
This will force request to be subjected to rbac api rules also,
and also object level permissions.

Change-Id: I89d339f1da289a383591eb5f162c3549bc001a98
Closes-Bug: #1728324

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.