neutron

create a rbac policy target_tenant_id=self, can not delete this policy

Bug #1517702 reported by zhaobo on 2015-11-19

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Undecided	Kevin Benton

Bug Description

I create a network use admin with just input the network name. I want to make this network just shared with myself. So I create a policy about it.But after a period , I want to make this network to share to other tenants or delete this policy , it cannot work.

repo
----------------
1. neutron net-create test1 with admin tenant A
2. neutron rbac-create test --type network --action access_as_shared --target-tenant admin_tenant
3.neutron rbac-delete policy_id ------> hit error
4.neutron rbac-update policy_id --target-tenant demo_tenant ------> hit error

So this policy cannot delete.

err_details
-----------------
2015-11-19 02:46:57.687 ERROR neutron.callbacks.manager [req-5300e9fd-518d-46d8-b168-4ff3ea8e11bc admin 5d73438ed76a4399b8d2996a699146c5] Error during notification for neutron.plugins.ml2.plugin.Ml2Plugin.validate_network_rbac_policy_change rbac-policy, before_update
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager Traceback (most recent call last):
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager File "/opt/stack/neutron/neutron/callbacks/manager.py", line 141, in _notify_loop
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager callback(resource, event, trigger, **kwargs)
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager File "/opt/stack/neutron/neutron/db/db_base_plugin_v2.py", line 151, in validate_network_rbac_policy_change
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager tenant_to_check)
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager File "/opt/stack/neutron/neutron/db/db_base_plugin_v2.py", line 157, in ensure_no_tenant_ports_on_network
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager ctx_admin = ctx.get_admin_context()
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager InvalidSharedSetting: Unable to reconfigure sharing settings for network d207350c-6d19-45fc-a3a4-2c70bf35a933. Multiple tenants are using it.
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager
2015-11-19 02:46:57.687 ERROR neutron.callbacks.manager [req-5300e9fd-518d-46d8-b168-4ff3ea8e11bc admin 5d73438ed76a4399b8d2996a699146c5] Error during notification for neutron.plugins.ml2.plugin.Ml2Plugin.validate_network_rbac_policy_change rbac-policy, before_update
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager Traceback (most recent call last):
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager File "/opt/stack/neutron/neutron/callbacks/manager.py", line 141, in _notify_loop
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager callback(resource, event, trigger, **kwargs)
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager File "/opt/stack/neutron/neutron/db/db_base_plugin_v2.py", line 151, in validate_network_rbac_policy_change
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager tenant_to_check)
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager File "/opt/stack/neutron/neutron/db/db_base_plugin_v2.py", line 157, in ensure_no_tenant_ports_on_network
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager ctx_admin = ctx.get_admin_context()
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager InvalidSharedSetting: Unable to reconfigure sharing settings for network d207350c-6d19-45fc-a3a4-2c70bf35a933. Multiple tenants are using it.
2015-11-19 02:46:57.687 TRACE neutron.callbacks.manager

Tags:

zhaobo (zhaobo6) on 2015-11-19

Changed in neutron:
assignee:	nobody → zhaobo (zhaobo6)

Gary Kotton (garyk) on 2015-11-19

tags:

added: api

Gary Kotton (garyk) on 2015-11-20

tags:

added: rbac

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-11-20:

unable to reproduce:

http://paste.openstack.org/show/479551/

Changed in neutron:
status:	New → Incomplete
assignee:	zhaobo (zhaobo6) → nobody

Armando Migliaccio (armando-migliaccio) on 2015-11-20

tags:

added: access-control
removed: rbac

Revision history for this message

Stephen Ma (stephen-ma) wrote on 2016-01-05:

Reproduced the problem:

http://paste.openstack.org/show/483072/

I think the problem is that a "neutron rbac-create" command that has a --target-tenant value that is the same as the network owner's id is meaningless and should not be allowed.

Stephen Ma (stephen-ma) on 2016-01-06

Changed in neutron:
status:	Incomplete → Confirmed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-10: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/265664

Changed in neutron:
assignee:	nobody → Stephen Ma (stephen-ma)
status:	Confirmed → In Progress

Revision history for this message

Haim Daniel (hdaniel) wrote on 2016-02-23:

Several thoughts here:

1. The described flow here is 'cutting the branch you are grew and sat on'. IMO it actually makes sense to forbid the default rule removal.

2.I think that in order to share the network, a user is not supposed to update the existing 'self shared' rbac rule. If he wishes to share the network, he simply would create an additional policy rule for that. (Or remove if the opposite behavior is needed).

3. A neater way to bugfix that, might be a default 'self sharing' rule creation upon the network rule creation (if not --shared flag is used)

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-12-23:

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee:	Stephen Ma (stephen-ma) → nobody
status:	In Progress → Incomplete

Revision history for this message

songminglong (songminglong) wrote on 2017-02-13:

I think we should add validation operation of target_tenant when we create rbac policy, validation contains that target_tenant is exist or not, and target_tenant can not equal to itself.

Revision history for this message

songminglong (songminglong) wrote on 2017-03-17:

actually, we should avoid the 'self share' situation by adding check in client, rbac_db_mixin（create_rbac_policy and update_rbac_policy）

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-17:

Fix proposed to branch: master
Review: https://review.openstack.org/446834

OpenStack Infra (hudson-openstack) on 2017-04-12

Changed in neutron:
assignee:	nobody → Kevin Benton (kevinbenton)
status:	Incomplete → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-14: Change abandoned on neutron (master)

Change abandoned by Kevin Benton (<email address hidden>) on branch: master
Review: https://review.openstack.org/446834
Reason: the bug will be addressed by https://review.openstack.org/#/c/265664/

The approach of of this patch would prevent a tenant from using it's own network as an external network for a router.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-17: Fix merged to neutron (master)

#10

Reviewed: https://review.openstack.org/265664
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=f96b5439de459b6d437235a0ecb259cda2e1c81d
Submitter: Jenkins
Branch: master

commit f96b5439de459b6d437235a0ecb259cda2e1c81d
Author: Stephen Ma <email address hidden>
Date: Tue Apr 26 15:07:35 2016 -0700

Allow self-sharing RBAC rules to be deleted without usage check

    This patch allows the update and deletion of network
    'access_as_shared' rule whose target tenant-id is the network owner
    without checking for network usage.

Change-Id: I34d627da869f68c02e1abc4a19246698766d66e4
Closes-bug: #1517702

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-17: Fix proposed to neutron (stable/newton)

#11

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/457390

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-18: Fix proposed to neutron (stable/ocata)

#12

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/457670

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-04-18: Fix merged to neutron (stable/newton)

#13

Reviewed: https://review.openstack.org/457390
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ef65c9c92c5862bf1d077dc1f516e9548f550bcf
Submitter: Jenkins
Branch: stable/newton

commit ef65c9c92c5862bf1d077dc1f516e9548f550bcf
Author: Stephen Ma <email address hidden>
Date: Tue Apr 26 15:07:35 2016 -0700

Allow self-sharing RBAC rules to be deleted without usage check

    This patch allows the update and deletion of network
    'access_as_shared' rule whose target tenant-id is the network owner
    without checking for network usage.

Conflicts:
neutron/tests/tempest/api/admin/test_shared_network_extension.py

    Change-Id: I34d627da869f68c02e1abc4a19246698766d66e4
    Closes-bug: #1517702
    (cherry picked from commit f96b5439de459b6d437235a0ecb259cda2e1c81d)

tags:

added: in-stable-newton

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-05-12: Fix merged to neutron (stable/ocata)

#14

Reviewed: https://review.openstack.org/457670
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a7bd8be113ace405c5cc569abe5dcd41d2d153df
Submitter: Jenkins
Branch: stable/ocata

commit a7bd8be113ace405c5cc569abe5dcd41d2d153df
Author: Stephen Ma <email address hidden>
Date: Tue Apr 26 15:07:35 2016 -0700

Allow self-sharing RBAC rules to be deleted without usage check

    This patch allows the update and deletion of network
    'access_as_shared' rule whose target tenant-id is the network owner
    without checking for network usage.

    Conflicts:
        neutron/tests/tempest/api/admin/test_shared_network_extension.py
        neutron/tests/unit/db/test_rbac_db_mixin.py

Change-Id: I34d627da869f68c02e1abc4a19246698766d66e4
Closes-bug: #1517702

tags:

added: in-stable-ocata

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-01: Fix included in openstack/neutron 9.4.0

#15

This issue was fixed in the openstack/neutron 9.4.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-06-01: Fix included in openstack/neutron 10.0.2

#16

This issue was fixed in the openstack/neutron 10.0.2 release.