Juniper Openstack

Incorrect permissions on __no_rule__ security group

Series trunk
Bug #1590790

Bug #1590790 reported by Adam Tengler on 2016-06-09

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R3.2	Fix Committed	Undecided	Édouard Thuleau	Juniper Openstack r3.2.3.0
Trunk	Fix Committed	Undecided	Édouard Thuleau	Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"
OpenContrail	Fix Committed	Undecided	Édouard Thuleau

Bug Description

When we tried to create new port through neutron client with --no-security-groups flag we got Internal Server Error as return to our request, following error showed in /var/log/contrail/contrail-api.log:

global RefsExistError = <class 'cfgm_common.exceptions.RefsExistError'>
content = u"['default-domain', 'default-project', '__no_ru... with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a"
<class 'cfgm_common.exceptions.RefsExistError'>: ['default-domain', 'default-project', '__no_rule__'] already exists with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a
    __class__ = <class 'cfgm_common.exceptions.RefsExistError'>
    __delattr__ = <method-wrapper '__delattr__' of RefsExistError object>
    __dict__ = {}
    __doc__ = None
    __format__ = <built-in method __format__ of RefsExistError object>
    __getattribute__ = <method-wrapper '__getattribute__' of RefsExistError object>
    __getitem__ = <method-wrapper '__getitem__' of RefsExistError object>
    __getslice__ = <method-wrapper '__getslice__' of RefsExistError object>
    __hash__ = <method-wrapper '__hash__' of RefsExistError object>
    __init__ = <method-wrapper '__init__' of RefsExistError object>
    __module__ = 'cfgm_common.exceptions'
    __new__ = <built-in method __new__ of type object>
    __reduce__ = <built-in method __reduce__ of RefsExistError object>
    __reduce_ex__ = <built-in method __reduce_ex__ of RefsExistError object>
    __repr__ = <method-wrapper '__repr__' of RefsExistError object>
    __setattr__ = <method-wrapper '__setattr__' of RefsExistError object>
    __setstate__ = <built-in method __setstate__ of RefsExistError object>
    __sizeof__ = <built-in method __sizeof__ of RefsExistError object>
    __str__ = <method-wrapper '__str__' of RefsExistError object>
    __subclasshook__ = <built-in method __subclasshook__ of type object>
    __unicode__ = <built-in method __unicode__ of RefsExistError object>
    __weakref__ = None
    args = (u"['default-domain', 'default-project', '__no_ru... with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a",)
    message = u"['default-domain', 'default-project', '__no_ru... with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a"

The above is a description of an error in a Python program. Here is
the original traceback:

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/vnc_openstack/__init__.py", line 964, in handler_trap_exception
    response = handler(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_interface.py", line 469, in plugin_http_post_port
    return self.plugin_create_port(context, port)
  File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_interface.py", line 395, in plugin_create_port
    net_info = cfgdb.port_create(context, port['resource'])
  File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 2220, in wrapper
    return func(self, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 3572, in port_create
    port_obj = self._port_neutron_to_vnc(port_q, net_obj, CREATE)
  File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 1786, in _port_neutron_to_vnc
    sg_obj = self._get_no_rule_security_group()
  File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 1734, in _get_no_rule_security_group
    sg_obj = self._create_no_rule_sg()
  File "/usr/lib/python2.7/dist-packages/vnc_openstack/neutron_plugin_db.py", line 1726, in _create_no_rule_sg
    sg_uuid = self._vnc_lib.security_group_create(sg_obj)
  File "/usr/lib/python2.7/dist-packages/vnc_api/gen/vnc_api_client_gen.py", line 4036, in security_group_create
    data = json_body)
  File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 497, in _request_server
    retry_count=retry_count)
  File "/usr/lib/python2.7/dist-packages/vnc_api/vnc_api.py", line 542, in _request
    raise RefsExistError(content)
RefsExistError: ['default-domain', 'default-project', '__no_rule__'] already exists with uuid: 09e7b601-ddfc-44fd-9f7d-c806c7a7220a

After some investigation we found out that there is __no_rule__ security group already present in default OpenContrail tenant, but only user admin with role admin can use it. Also every time when we manually deleted __no_rule__ security group, port create with --no-security-groups flag succeeded once, no matter which user called this command, but failed again when called second time. After this group is created only user admin can work with it. It seems that no matter which user creates __no_rule__ security groups, it has permissions set to user admin, group admin.

Steps to reproduce this bug:

1. Source RC file for any user other than user admin
2. neutron port-create --no-security-groups NET_ID
3. neutron port-create --no-security-groups NET_ID

It may succeed the first time, when __no_rule__ security group is newly created, but it will always fail the next time.

Host OS: Ubuntu 14.04
OpenStack distribution: Kilo
OpenContrail version: 2.21
neutron plugin: v2

See original description

Tags:

Adam Tengler (atengler) on 2016-06-09

description:

updated

Sudheendra Rao (sudheendra-k) on 2016-06-10

Changed in juniperopenstack:
assignee:	nobody → Sachin Bansal (sbansal)
tags:	added: config
Changed in juniperopenstack:
importance:	Undecided → High

Revision history for this message

Jakub Pavlik (pavlk-jakub) wrote on 2016-06-13:

Workaround is to disable auth for contrail-api in /etc/contrail/contrail-api.conf:

multi_tenancy=False

Then other users can see __no_rule__ security group.

Revision history for this message

Édouard Thuleau (ethuleau) wrote on 2016-06-13:

Not reproduced on the master branch (d8a807096d20aaa68b581724dd2d6b45151425d4). Trying on R2.22.x branch.
But that reveals a bug in the v3 plugin.

Sachin Bansal (sbansal) on 2016-08-29

Changed in juniperopenstack:
assignee:	Sachin Bansal (sbansal) → Édouard Thuleau (ethuleau)
Changed in opencontrail:
assignee:	nobody → Édouard Thuleau (ethuleau)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-04-06: [Review update] master

Review in progress for https://review.opencontrail.org/30210
Submitter: ?douard Thuleau (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-04-10: A change has been merged

#11

Reviewed: https://review.opencontrail.org/30210
Committed: http://github.org/Juniper/contrail-controller/commit/15a833be0ddc91508a02a2dd27e57dbd44da6bc2
Submitter: Zuul (<email address hidden>)
Branch: master

commit 15a833be0ddc91508a02a2dd27e57dbd44da6bc2
Author: Édouard Thuleau <email address hidden>
Date: Thu Apr 6 17:20:44 2017 +0200

[VNC config] User role should be case insensitive

Don't care the case sensivity of user role.

Change-Id: I077e45ca722761077699850d4b31143f60fb9b52
Closes-Bug: #1590790

Sachin Bansal (sbansal) on 2017-04-27

Changed in opencontrail:
status:	New → Fix Committed

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-04-28: [Review update] R3.2

#12

Review in progress for https://review.opencontrail.org/30850
Submitter: ?douard Thuleau (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-04-29: A change has been merged

#14

Reviewed: https://review.opencontrail.org/30850
Committed: http://github.com/Juniper/contrail-controller/commit/55a9aff620f3a772b560af678206c1fc8cccca19
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 55a9aff620f3a772b560af678206c1fc8cccca19
Author: Édouard Thuleau <email address hidden>
Date: Thu Apr 6 17:20:44 2017 +0200

[VNC config] User role should be case insensitive

Don't care the case sensivity of user role.

Change-Id: I077e45ca722761077699850d4b31143f60fb9b52
Closes-Bug: #1590790
(cherry picked from commit 15a833be0ddc91508a02a2dd27e57dbd44da6bc2)

Bernhard Koessler (bkoessler) on 2018-01-19

tags:

added: dt

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.