exception traceback returned on the storage pools API
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Fix Released
|
Low
|
Goutham Pacha Ravi |
Bug Description
Description
===========
The storage pool statistics APIs:
GET /scheduler-
and
GET /scheduler-
enforce RBAC policies and return HTTP403 if the user was denied access to the resource. However, the policy enforcement is done in two places currently: the API (example [1]) and the database [2]. The database check is redundant and has been highlighted in bug #1917504 [3]. When a user that has access via the API RBAC check in [1] fails an RBAC check in [2], the exception returned isn't being handled in the API code, it is being returned to the caller.
Steps to reproduce
==================
* This bug can be reproduced with this change: https:/
* To reproduce this with existing code and a regular user, you can toggle the policy for the scheduler-stats API (scheduler_
* But if you're using a system reader persona, the steps are as follows:
a) Create a system user account and a corresponding profile for the user within /etc/openstack/
$ export OS_CLOUD=
$ openstack user create --or-show my-system-reader --password PASSWORD
$ openstack role add reader --user my-system-reader --system all
my-system-reader:
auth:
auth_url: http://
password: PASSWORD
system_scope: all
username: devstack-
identity_
region_name: RegionOne
b) MANILA_
c) export OS_CLOUD=
d) TOKEN=$(openstack token issue -f value -c id)
e) curl -i -X GET $MANILA_
Expected result
===============
HTTP 200 or HTTP 403 without any python traceback
Actual result
=============
HTTP/1.1 403 Forbidden
Date: Tue, 02 Mar 2021 19:24:22 GMT
Server: Apache/2.4.29 (Ubuntu)
X-OpenStack-
Vary: X-OpenStack-
Content-Length: 1662
Content-Type: application/json
x-compute-
Connection: close
{"forbidden": {"code": 403, "message": "User does not have admin privileges.
[1] https:/
[2] https:/
[3] https:/
tags: | added: wallaby-rc-bugsquash |
Changed in manila: | |
milestone: | wallaby-3 → wallaby-rc1 |
Changed in manila: | |
status: | In Progress → Fix Released |
Fix proposed to master: /review. opendev. org/c/openstack /manila/ +/778341
Fix traceback in scheduler-stats API
https:/