Juniper Openstack

rbac: fails to match if the user has multiple roles in the project

Series trunk
Bug #1731365

Bug #1731365 reported by Senthilnathan Murugappan on 2017-11-10

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R4.0	Fix Committed	Undecided	Suresh Vinapamula	Juniper Openstack r4.0.3.0
R4.1	Fix Committed	Undecided	Suresh Vinapamula	Juniper Openstack r4.1.0.0-fcs "r4.1"
Trunk	Fix Committed	Undecided	Suresh Vinapamula	Juniper Openstack r5.0.0

Bug Description

The user user1 has role role1 and role2 in a project and the acl rule is to allow VN.* R for role1 in which case the user was not able to read the VirtualNetwork.

root@server1:~# curl -H 'X-Auth-Token: 8819ad075eb64b3d987a09002d52ad88' http://10.87.120.27:8082/virtual-network/0c33ad6a-e7ad-445b-a42b-de8d63f152e9
Permission Denied for ctest-TestRbac2-17105820 as [u'ctest-TestRbac2-45926379', u'ctest-TestRbac2-07633932'] to R virtual-network in ctest-TestRbac2-65129404

root@server1:~#

Role List:

+----------------------------------+--------------------------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+--------------------------+----------------------------------+----------------------------------+
| e606f07163144df6b03ad9c78553f36d | ctest-TestRbac2-07633932 | f5d51329795f4481b63221df72937b2a | 5bfd284604e84e6d936c0daa66839019 |
| 3df14c76dc0a41c99dda7a45ef4f2dde | ctest-TestRbac2-45926379 | f5d51329795f4481b63221df72937b2a | 5bfd284604e84e6d936c0daa66839019 |
+----------------------------------+--------------------------+----------------------------------+----------------------------------+

    "api-access-list": {
        "api_access_list_entries": {
            "rbac_rule": [
                {
                    "rule_field": null,
                    "rule_object": "virtual-network",
                    "rule_perms": [
                        {
                            "role_crud": "R",
                            "role_name": "ctest-TestRbac2-07633932"
                        }
                    ]
                }
            ]
        },
        "display_name": "default-api-access-list",
        "fq_name": [
            "default-domain",
            "default-api-access-list"
        ],

DEBUG:contrail-api:__default__ [SYS_DEBUG]: VncApiDebug: rbac: u=ctest-TestRbac2-17105820, r=[u'ctest-TestRbac2-45926379', u'ctest-TestRbac2-07633932'], o=virtual-network, op=R, rules=10, proj:5bfd284604e84e6d936c0daa66839019(ctest-TestRbac2-65129404), dom:None
WARNING:contrail-api:__default__ [SYS_NOTICE]: VncApiNotice: rbac: No interested rules!!

Tags:

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-11: [Review update] R4.1

Review in progress for https://review.opencontrail.org/37422
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-11: [Review update] R4.0

Review in progress for https://review.opencontrail.org/37423
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-11: [Review update] master

Review in progress for https://review.opencontrail.org/37424
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-11: A change has been merged

Reviewed: https://review.opencontrail.org/37422
Committed: http://github.com/Juniper/contrail-controller/commit/1d372d46e6d8838b7ed61c06e43f65c78d53da4c
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 1d372d46e6d8838b7ed61c06e43f65c78d53da4c
Author: Suresh Venkata <email address hidden>
Date: Fri Nov 10 17:50:39 2017 -0800

list element was deleted, while list is traversed

Description: rule in the rule_list is deleted while rule_list
is traversed.

Change-Id: Ifb15e07b2d11a9624c9556d2f066f83c95ea6975
Closes-Bug: #1731365

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-11:

Reviewed: https://review.opencontrail.org/37423
Committed: http://github.com/Juniper/contrail-controller/commit/2da8661d295cd535c6c227381e2eea871cfe1d69
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 2da8661d295cd535c6c227381e2eea871cfe1d69
Author: Suresh Venkata <email address hidden>
Date: Fri Nov 10 17:50:39 2017 -0800

list element was deleted, while list is traversed

Description: rule in the rule_list is deleted while rule_list
is traversed.

Change-Id: Ifb15e07b2d11a9624c9556d2f066f83c95ea6975
Closes-Bug: #1731365

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-11-13:

Reviewed: https://review.opencontrail.org/37424
Committed: http://github.com/Juniper/contrail-controller/commit/3ccba2b9c60aca3d387035c78bf249b8fc500edc
Submitter: Zuul (<email address hidden>)
Branch: master

commit 3ccba2b9c60aca3d387035c78bf249b8fc500edc
Author: Suresh Venkata <email address hidden>
Date: Fri Nov 10 17:50:39 2017 -0800

list element was deleted, while list is traversed

Description: rule in the rule_list is deleted while rule_list
is traversed.

Change-Id: Ifb15e07b2d11a9624c9556d2f066f83c95ea6975
Closes-Bug: #1731365

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.