Juniper Openstack

rbac: VM and VMI objects are created with service_tenant creds

  1. Series trunk
  2. Bug #1531305
Bug #1531305 reported by Senthilnathan Murugappan
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.0
Fix Committed
High
Deepinder Setia
Juniper Openstack r3.0.3.0
R3.1
Fix Committed
High
Deepinder Setia
Juniper Openstack r3.1.1.0
R3.2
Fix Committed
High
Deepinder Setia
Juniper Openstack r3.2.0.0-fcs "r3.2.0.0"
Trunk
Fix Committed
High
Deepinder Setia
Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

VM and VMI objects are created with service_tenant creds

# curl -uadmin:contrail123 http://127.0.0.1:8095/virtual-machine-interface/c4636547-483b-4061-9698-452bcffff5da | python -m json.tool | grep -5 perms2
        ],
        "name": "c4636547-483b-4061-9698-452bcffff5da",
        "parent_href": "http://127.0.0.1:8095/project/0467fa71-c1f8-424c-931d-369ec9797a02",
        "parent_type": "project",
        "parent_uuid": "0467fa71-c1f8-424c-931d-369ec9797a02",
        "perms2": {
            "global_access": 0,
            "owner": "4972725c87254e03b423a3790e243642",
            "owner_access": 7,
            "share": []
        },
root@a2s41:~/rbac/contrail-test# keystone tenant-get 4972725c87254e03b423a3790e243642
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 4972725c87254e03b423a3790e243642 |
| name | service |
+-------------+----------------------------------+
root@a2s41:~/rbac/contrail-test# keystone tenant-get 0467fa71-c1f8-424c-931d-369ec9797a02
No tenant with a name or ID of '0467fa71-c1f8-424c-931d-369ec9797a02' exists.
root@a2s41:~/rbac/contrail-test# keystone tenant-get 0467fa71c1f8424c931d369ec9797a02
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | |
| enabled | True |
| id | 0467fa71c1f8424c931d369ec9797a02 |
| name | project2 |
+-------------+----------------------------------+

Same observed with VM too
root@a2s41:~/rbac/contrail-test# curl -uadmin:contrail123 http://127.0.0.1:8095/virtual-machine/5b2de86f-5ce8-4cc6-9bfc-59dbba05a7d6 | python -m json.tool | grep -5 perms2
                "uuid_lslong": 11239957570263558102,
                "uuid_mslong": 6570162996401163462
            }
        },
        "name": "5b2de86f-5ce8-4cc6-9bfc-59dbba05a7d6",
        "perms2": {
            "global_access": 0,
            "owner": "4972725c87254e03b423a3790e243642",
            "owner_access": 7,
            "share": []
        },

Tags: config rbac
Senthilnathan Murugappan (msenthil)
Changed in juniperopenstack:
importance: Undecided → High
assignee: nobody → Deepinder Setia (dsetia)
tags: added: config rbac
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/20536
Submitter: Deepinder Setia (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/20536
Committed: http://github.org/Juniper/contrail-controller/commit/638acbd9ddb96e3b9bb73f51ad42bb52cdf8f7a3
Submitter: Zuul
Branch: master

commit 638acbd9ddb96e3b9bb73f51ad42bb52cdf8f7a3
Author: Deepinder Setia <email address hidden>
Date: Tue May 17 13:48:00 2016 -0700

Add chown and chmod API to change ownership and permissions for an object.
Use these API in neutron plugin to explicitly set ownership of various
objects such as port, virtual machine, instance IP and security group to
tenant id of user invoking operation. This is needed because Nova doesn't
pass the actual user token to neutron for these operations.

Fixes-bug: #1531305

Change-Id: I5a0dab384f3e50f69a2d51fa42705b54a9ebcf14

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.0

Review in progress for https://review.opencontrail.org/23337
Submitter: Deepinder Setia (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/23426
Submitter: Deepinder Setia (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/23428
Submitter: Deepinder Setia (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/23428
Committed: http://github.org/Juniper/contrail-controller/commit/800a654be6d8e31455a39af669d25f587baa73b4
Submitter: Zuul
Branch: R3.0

commit 800a654be6d8e31455a39af669d25f587baa73b4
Author: Deepinder Setia <email address hidden>
Date: Tue May 17 13:48:00 2016 -0700

Add chown and chmod API to change ownership and permissions for an object.
Use these API in neutron plugin to explicitly set ownership of various
objects such as port, virtual machine, instance IP and security group to
tenant id of user invoking operation. This is needed because Nova doesn't
pass the actual user token to neutron for these operations.

Fixes-bug: #1531305

Conflicts:
 src/api-lib/vnc_api.py
 src/config/api-server/vnc_cfg_api_server.py
 src/config/utils/rbacutil.py

Change-Id: I582c68802887ea56947d8690cdbf3b435efd2ba1

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/23709
Submitter: Deepinder Setia (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/23709
Committed: http://github.org/Juniper/contrail-controller/commit/fcb99919eac4221430d9d158cb6618bcfe39edc8
Submitter: Zuul
Branch: master

commit fcb99919eac4221430d9d158cb6618bcfe39edc8
Author: Deepinder Setia <email address hidden>
Date: Tue May 17 13:48:00 2016 -0700

Add chown and chmod API to change ownership and permissions for an object.
Use these API in neutron plugin to explicitly set ownership of various
objects such as port, virtual machine, instance IP and security group to
tenant id of user invoking operation. This is needed because Nova doesn't
pass the actual user token to neutron for these operations.

Fixes-bug: #1531305

Change-Id: I582c68802887ea56947d8690cdbf3b435efd2ba1

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.