Juniper Openstack

RBAC for analytics needs ownership check

  1. Series trunk
  2. Bug #1728320
Bug #1728320 reported by Senthilnathan Murugappan
This bug report is a duplicate of:  Bug #1728324: Analytics RBAC doesnt work. Edit Remove
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R4.1
New
Critical
Suresh Vinapamula
Juniper Openstack r4.1.0.0-fcs "r4.1"
Trunk
New
Critical
Suresh Vinapamula
Juniper Openstack r5.0.0

Bug Description

A user of Project1 with Read access for VN can list/get all the VNs in the system. We should be restricting the user to read only the VNs under the project which he is authenticated to along with the shared VNs.
Config API server does ownership access check to take care of this which needs to be done for analytics api too.

(Pdb) pp connections.project_name
'ctest-TestAnalyticsRbac-57749296'

(Pdb) pp connections.ops_inspect.get_hrefs_to_all_UVEs_of_a_given_UVE_type(uveType='virtual-networks')
ctest-TestAnalyticsRbac-75698482 ctest-TestAnalyticsRbac-75698482 ctest-TestAnalyticsRbac-57749296 http://10.84.7.36:8081/analytics/uves/virtual-networks
[{u'href': u'http://10.84.7.36:8081/analytics/uves/virtual-network/default-domain:default-project:ip-fabric?flat',
  u'name': u'default-domain:default-project:ip-fabric'},
 {u'href': u'http://10.84.7.36:8081/analytics/uves/virtual-network/default-domain:default-project:__link_local__?flat',
  u'name': u'default-domain:default-project:__link_local__'},
 {u'href': u'http://10.84.7.36:8081/analytics/uves/virtual-network/default-domain:default-project:default-virtual-network?flat',
  u'name': u'default-domain:default-project:default-virtual-network'},
 {u'href': u'http://10.84.7.36:8081/analytics/uves/virtual-network/default-domain:admin:right?flat',
  u'name': u'default-domain:admin:right'},
 {u'href': u'http://10.84.7.36:8081/analytics/uves/virtual-network/default-domain:admin:ms-HR-1?flat',
  u'name': u'default-domain:admin:ms-HR-1'},
 {u'href': u'http://10.84.7.36:8081/analytics/uves/virtual-network/default-domain:admin:left?flat',
  u'name': u'default-domain:admin:left'}]
(Pdb)

RBAC rule is virtual-network.* CRUD for tenant-user under tenant ctest-TestAnalyticsRbac-57749296

Senthilnathan Murugappan (msenthil)
tags: added: blocker releaseblocker
Revision history for this message
Sundaresan Rajangam (srajanga) wrote :

Root-cause same as https://bugs.launchpad.net/juniperopenstack/trunk/+bug/1728324

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.