"neutron lb-pool-list" running by admin returns also non-admin load balancer pools which appear later in horizon's admin project

Bug #1244126 reported by Rami Vaknin
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
Medium
Akihiro Motoki
Havana
Fix Released
Medium
Akihiro Motoki
neutron
Won't Fix
Low
Eugene Nikanorov

Bug Description

Version
=======
Havana on rhel

Description
===========
"neutron lb-pool-list" should return the list of load balancer pools in the user's tenant, however when running it with admin - it prints the list of all tenant's pools.
The side effect is that the horizon's "Project"->"Load Balancers" tab while logging-in with the admin user contains load balancers that has nothing to do with the admin tenant.

# keystone tenant-list
+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| abd7d9c464814aff98652c3e235a799b | admin | True |
| e86dccb5c751465a8d338f6e3aeb8228 | services | True |
| 43029e52371247ca9dc771780a8f41b5 | vlan_211 | True |
| 0b3607a0807a4d928b0eab794b291198 | vlan_212 | True |
| 783c402f63c94545b270177661631eac | vlan_213 | True |
| 8bfe5effe4e942c2a5d4f41e46f2e09d | vlan_214 | True |
+----------------------------------+----------+---------+

# neutron lb-pool-list
+--------------------------------------+---------------+-------------+----------+----------------+--------+
| id | name | lb_method | protocol | admin_state_up | status |
+--------------------------------------+---------------+-------------+----------+----------------+--------+
| 2c16a5cf-6ee7-4948-85cd-0faa9fc5eef4 | pool_vlan_214 | ROUND_ROBIN | HTTP | True | ACTIVE |
+--------------------------------------+---------------+-------------+----------+----------------+--------+

# neutron lb-pool-list --all-tenant
+--------------------------------------+---------------+-------------+----------+----------------+--------+
| id | name | lb_method | protocol | admin_state_up | status |
+--------------------------------------+---------------+-------------+----------+----------------+--------+
| 2c16a5cf-6ee7-4948-85cd-0faa9fc5eef4 | pool_vlan_214 | ROUND_ROBIN | HTTP | True | ACTIVE |
+--------------------------------------+---------------+-------------+----------+----------------+--------+

# neutron lb-pool-list --tenant-id abd7d9c464814aff98652c3e235a799b
<empty output>

# neutron lb-pool-list --tenant-id 8bfe5effe4e942c2a5d4f41e46f2e09d
+--------------------------------------+---------------+-------------+----------+----------------+--------+
| id | name | lb_method | protocol | admin_state_up | status |
+--------------------------------------+---------------+-------------+----------+----------------+--------+
| 2c16a5cf-6ee7-4948-85cd-0faa9fc5eef4 | pool_vlan_214 | ROUND_ROBIN | HTTP | True | ACTIVE |
+--------------------------------------+---------------+-------------+----------+----------------+--------+

Tags: lbaas neutron
Changed in neutron:
assignee: nobody → Eugene Nikanorov (enikanorov)
tags: added: lbaas
Changed in neutron:
importance: Undecided → Low
Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

This behavior is by design and it works in the same way with other Neutron resources.
Currently there is another similar discussion about whether admin should see everyone's resources:
https://bugs.launchpad.net/neutron/+bug/1238293

Revision history for this message
Rami Vaknin (rvaknin) wrote :

So I probably should assign this bug to horizon because admin user in the Project tab sees only its own networks/routers/keypairs/secgroups etc, however admin sees other tenant's load balancers.

affects: neutron → horizon
Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

No, it's really neutron behaviour, not horizon.
You are able to see the same via CLI . I'm changing the project back to neutron.
Once the decision is taken on how to change the API behavior, we could propose some fix to it.

affects: horizon → neutron
Revision history for this message
Eugene Nikanorov (enikanorov) wrote :

Per description of https://bugs.launchpad.net/neutron/+bug/1238293 i'm marking this as invalid for neutron.
I'll add horizon project to evaluate the bug there

Changed in neutron:
status: New → Won't Fix
Revision history for this message
Akihiro Motoki (amotoki) wrote :

Thanks Eugene, it is a bug of Horizon side.
When fetching a list of pools (or other resources), there is no filter by tenant_id.
VPNaaS has the same issue. FWaaS does not.

Changed in horizon:
status: New → Confirmed
importance: Undecided → Medium
tags: added: havana-backport-potential neutron
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/54242

Changed in horizon:
assignee: nobody → Akihiro Motoki (amotoki)
status: Confirmed → In Progress
Changed in horizon:
milestone: none → icehouse-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/54242
Committed: http://github.com/openstack/horizon/commit/630b43349160f8b35d54196aabaa6e1afe5e4d61
Submitter: Jenkins
Branch: master

commit 630b43349160f8b35d54196aabaa6e1afe5e4d61
Author: Akihiro MOTOKI <email address hidden>
Date: Tue Oct 29 15:46:13 2013 +0900

    Specify tenant_id when retrieving LBaaS/VPNaaS resource

    In Neutron API, resources from all tenants are listed when
    retrieving a list of resources with admin role. Horizon
    project dashboard is for project-specific operations,
    so we should retrieve only resources of the given project.
    LBaaS/VPNaaS panels have this problem, but FWaaS does not.
    router_list should be called with tenant_id filter too.

    This commit also fixes VPN/FWaaS tests so that it extract tenant_id
    from request attribute rather than use tenant_id of test_data.

    Change-Id: I080e6c6d1e426a878c1d088763bbc7e5add15820
    Closes-Bug: #1244126

Changed in horizon:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/63376

Akihiro Motoki (amotoki)
tags: removed: havana-backport-potential
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/havana)

Reviewed: https://review.openstack.org/63376
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=660cd866c0fbccc2962eaa0046b14170cde46a2d
Submitter: Jenkins
Branch: stable/havana

commit 660cd866c0fbccc2962eaa0046b14170cde46a2d
Author: Akihiro MOTOKI <email address hidden>
Date: Tue Oct 29 15:46:13 2013 +0900

    Specify tenant_id when retrieving LBaaS/VPNaaS resource

    In Neutron API, resources from all tenants are listed when
    retrieving a list of resources with admin role. Horizon
    project dashboard is for project-specific operations,
    so we should retrieve only resources of the given project.
    LBaaS/VPNaaS panels have this problem, but FWaaS does not.
    router_list should be called with tenant_id filter too.

    This commit also fixes VPN/FWaaS tests so that it extract tenant_id
    from request attribute rather than use tenant_id of test_data.

    Change-Id: I080e6c6d1e426a878c1d088763bbc7e5add15820
    Closes-Bug: #1244126
    (cherry picked from commit 630b43349160f8b35d54196aabaa6e1afe5e4d61)

Thierry Carrez (ttx)
Changed in horizon:
milestone: icehouse-2 → 2014.1
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.