OpenStack Shared File Systems Service (Manila)

exception traceback returned on the storage pools API

Bug #1917520 reported by Goutham Pacha Ravi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Fix Released
Low
Goutham Pacha Ravi
OpenStack Shared File Systems Service (Manila) wallaby-rc1

Bug Description

Description
===========

The storage pool statistics APIs:

    GET /scheduler-stats/pools

and

    GET /scheduler-stats/pools/detail

enforce RBAC policies and return HTTP403 if the user was denied access to the resource. However, the policy enforcement is done in two places currently: the API (example [1]) and the database [2]. The database check is redundant and has been highlighted in bug #1917504 [3]. When a user that has access via the API RBAC check in [1] fails an RBAC check in [2], the exception returned isn't being handled in the API code, it is being returned to the caller.

Steps to reproduce
==================

* This bug can be reproduced with this change: https://review.opendev.org/c/openstack/manila/+/763445/ using a system reader persona
* To reproduce this with existing code and a regular user, you can toggle the policy for the scheduler-stats API (scheduler_stats:pools:index or scheduler_stats:pools:detail) in your policy.yaml file and allow the user access to this API
* But if you're using a system reader persona, the steps are as follows:

a) Create a system user account and a corresponding profile for the user within /etc/openstack/clouds.yaml, example:

  $ export OS_CLOUD=devstack-system-admin
  $ openstack user create --or-show my-system-reader --password PASSWORD
  $ openstack role add reader --user my-system-reader --system all

  my-system-reader:
    auth:
      auth_url: http://CONTROLLER_IP_ADDRESS/identity
      password: PASSWORD
      system_scope: all
      username: devstack-system-reader
    identity_api_version: '3'
    region_name: RegionOne

b) MANILA_URL=$(openstack catalog show manilav2 -c endpoints -f json | jq -r .endpoints[0].url)
c) export OS_CLOUD=my-system-reader
d) TOKEN=$(openstack token issue -f value -c id)
e) curl -i -X GET $MANILA_URL/scheduler-stats/pools -H "X-OpenStack-Manila-API-Version: 2.10" -H "Content-Type: application/json" -H "X-Auth-Token: $TOKEN"

Expected result
===============
HTTP 200 or HTTP 403 without any python traceback

Actual result
=============

HTTP/1.1 403 Forbidden
Date: Tue, 02 Mar 2021 19:24:22 GMT
Server: Apache/2.4.29 (Ubuntu)
X-OpenStack-Manila-API-Version: 2.10
Vary: X-OpenStack-Manila-API-Version
Content-Length: 1662
Content-Type: application/json
x-compute-request-id: req-985dd7d9-0632-49a7-b5fa-f284d570b74d
Connection: close

{"forbidden": {"code": 403, "message": "User does not have admin privileges.\nTraceback (most recent call last):\n\n File \"/usr/local/lib/python3.6/dist-packages/oslo_messaging/rpc/server.py\", line 165, in _process_incoming\n res = self.dispatcher.dispatch(message)\n\n File \"/usr/local/lib/python3.6/dist-packages/oslo_messaging/rpc/dispatcher.py\", line 309, in dispatch\n return self._do_dispatch(endpoint, method, ctxt, args)\n\n File \"/usr/local/lib/python3.6/dist-packages/oslo_messaging/rpc/dispatcher.py\", line 229, in _do_dispatch\n result = func(ctxt, **new_args)\n\n File \"/usr/local/lib/python3.6/dist-packages/osprofiler/profiler.py\", line 160, in wrapper\n result = f(*args, **kwargs)\n\n File \"/opt/stack/manila/manila/scheduler/manager.py\", line 125, in get_pools\n return self.driver.get_pools(context, filters, cached)\n\n File \"/opt/stack/manila/manila/scheduler/drivers/filter.py\", line 49, in get_pools\n return self.host_manager.get_pools(context, filters, cached)\n\n File \"/opt/stack/manila/manila/scheduler/host_manager.py\", line 642, in get_pools\n self._update_host_state_map(context)\n\n File \"/opt/stack/manila/manila/scheduler/host_manager.py\", line 583, in _update_host_state_map\n share_services = db.service_get_all_by_topic(context, topic)\n\n File \"/opt/stack/manila/manila/db/api.py\", line 105, in service_get_all_by_topic\n return IMPL.service_get_all_by_topic(context, topic)\n\n File \"/opt/stack/manila/manila/db/sqlalchemy/api.py\", line 166, in wrapper\n raise exception.AdminRequired()\n\nmanila.exception.AdminRequired: User does not have admin privileges.\n"}}

[1] https://opendev.org/openstack/manila/src/commit/ffd3f1e7602677f9d8ffb43ff2fad1930b920191/manila/api/v1/scheduler_stats.py#L35
[2] https://opendev.org/openstack/manila/src/commit/6fb2e8510ef88ee9abb0839cf9a8247f97c1e262/manila/db/sqlalchemy/api.py#L463-L469
[3] https://bugs.launchpad.net/manila/+bug/1917504

Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

Fix proposed to master:
    Fix traceback in scheduler-stats API
    https://review.opendev.org/c/openstack/manila/+/778341

Changed in manila:
importance: Undecided → Low
assignee: nobody → Goutham Pacha Ravi (gouthamr)
milestone: none → wallaby-3
status: New → In Progress
tags: added: backport-potential
Goutham Pacha Ravi (gouthamr)
tags: added: wallaby-rc-bugsquash
Changed in manila:
milestone: wallaby-3 → wallaby-rc1
Goutham Pacha Ravi (gouthamr)
Changed in manila:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 12.0.0.0rc1

This issue was fixed in the openstack/manila 12.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/manila/+/783208
Committed: https://opendev.org/openstack/manila/commit/177ce7e9495afb710711726be656b58065f42ce3
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 177ce7e9495afb710711726be656b58065f42ce3
Author: Goutham Pacha Ravi <email address hidden>
Date: Tue Mar 2 15:53:02 2021 -0800

    Fix traceback in scheduler-stats API

    There was a traceback being included in the
    error message body. This is unhelpful to
    end users.

    The error message that included the traceback
    was for this corner case where the RBAC policy
    isn't aligned with the internal "context_is_admin"
    policy - an unlikely combination of decisions
    that a deployer would make - nevertheless,
    this is an opportunity for us to fix this
    code path.

    Change-Id: I888d684acac2133425f986ec7cef5e4f5cdcc5b6
    Closes-Bug: #1917520
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit a13ff5d5a73c9c4c4c7b56fe60c6152402127f10)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/manila/+/792767

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to manila (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/manila/+/794061

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/manila/+/792767
Committed: https://opendev.org/openstack/manila/commit/94bb8fea8cacceb42cffac63d8d8490c33d2aa58
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 94bb8fea8cacceb42cffac63d8d8490c33d2aa58
Author: Goutham Pacha Ravi <email address hidden>
Date: Tue Mar 2 15:53:02 2021 -0800

    Fix traceback in scheduler-stats API

    There was a traceback being included in the
    error message body. This is unhelpful to
    end users.

    The error message that included the traceback
    was for this corner case where the RBAC policy
    isn't aligned with the internal "context_is_admin"
    policy - an unlikely combination of decisions
    that a deployer would make - nevertheless,
    this is an opportunity for us to fix this
    code path.

    Change-Id: I888d684acac2133425f986ec7cef5e4f5cdcc5b6
    Closes-Bug: #1917520
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit a13ff5d5a73c9c4c4c7b56fe60c6152402127f10)
    (cherry picked from commit 177ce7e9495afb710711726be656b58065f42ce3)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to manila (stable/train)

Reviewed: https://review.opendev.org/c/openstack/manila/+/794061
Committed: https://opendev.org/openstack/manila/commit/c319dcdc9ba68fd595df2c5d5851391cad655f52
Submitter: "Zuul (22348)"
Branch: stable/train

commit c319dcdc9ba68fd595df2c5d5851391cad655f52
Author: Goutham Pacha Ravi <email address hidden>
Date: Tue Mar 2 15:53:02 2021 -0800

    Fix traceback in scheduler-stats API

    There was a traceback being included in the
    error message body. This is unhelpful to
    end users.

    The error message that included the traceback
    was for this corner case where the RBAC policy
    isn't aligned with the internal "context_is_admin"
    policy - an unlikely combination of decisions
    that a deployer would make - nevertheless,
    this is an opportunity for us to fix this
    code path.

    Change-Id: I888d684acac2133425f986ec7cef5e4f5cdcc5b6
    Closes-Bug: #1917520
    Signed-off-by: Goutham Pacha Ravi <email address hidden>
    (cherry picked from commit a13ff5d5a73c9c4c4c7b56fe60c6152402127f10)
    (cherry picked from commit 177ce7e9495afb710711726be656b58065f42ce3)
    (cherry picked from commit 94bb8fea8cacceb42cffac63d8d8490c33d2aa58)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 10.1.0

This issue was fixed in the openstack/manila 10.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila 11.1.0

This issue was fixed in the openstack/manila 11.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/manila train-eol

This issue was fixed in the openstack/manila train-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.