non-admin can create and list bgpspeakers but can not show or update speaker

Bug #1583958 reported by flynnmmm
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Undecided
Ryan Tidwell

Bug Description

Here is the configuration:
[root@SG-dev-flynn-3-fwaas devstack]# source openrc demo demo
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
[root@SG-dev-flynn-3-fwaas devstack]# nova list
+----+------+--------+------------+-------------+----------+
| ID | Name | Status | Task State | Power State | Networks |
+----+------+--------+------------+-------------+----------+
+----+------+--------+------------+-------------+----------+
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-create --ip-version 4 --local-as 777 106
Created a new bgp_speaker:
+-----------------------------------+--------------------------------------+
| Field | Value |
+-----------------------------------+--------------------------------------+
| advertise_floating_ip_host_routes | True |
| advertise_tenant_networks | True |
| id | ee03ac3c-81c8-46ce-abad-e3fac4877e87 |
| ip_version | 4 |
| local_as | 777 |
| name | 106 |
| networks | |
| peers | |
| tenant_id | 01c10991df8749d8a79694dad6dfb836 |
+-----------------------------------+--------------------------------------+
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-create --ip-version 4 --local-as 7788 101
Created a new bgp_speaker:
+-----------------------------------+--------------------------------------+
| Field | Value |
+-----------------------------------+--------------------------------------+
| advertise_floating_ip_host_routes | True |
| advertise_tenant_networks | True |
| id | cb0a27e5-42a6-44c1-914b-9bce85a4d1e1 |
| ip_version | 4 |
| local_as | 7788 |
| name | 101 |
| networks | |
| peers | |
| tenant_id | 01c10991df8749d8a79694dad6dfb836 |
+-----------------------------------+--------------------------------------+
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-list
+--------------------------------------+------+----------+------------+
| id | name | local_as | ip_version |
+--------------------------------------+------+----------+------------+
| cb0a27e5-42a6-44c1-914b-9bce85a4d1e1 | 101 | 7788 | 4 |
| ee03ac3c-81c8-46ce-abad-e3fac4877e87 | 106 | 777 | 4 |
+--------------------------------------+------+----------+------------+
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-show cb0a27e5-42a6-44c1-914b-9bce85a4d1e1
Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.
Neutron server returns request_ids: ['req-bff87635-2767-4bfd-b6e0-cc1399136d88']
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-show 101
Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.
Neutron server returns request_ids: ['req-fd336b49-70e3-4a20-ba2d-9ca9889ea05c']
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-show 106
Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.
Neutron server returns request_ids: ['req-70354c3c-d59a-4f69-ba3a-54edbce12e44']
[root@SG-dev-flynn-3-fwaas devstack]# neutron bgp-speaker-update --advertise-floating-ip-host-routes=False 106
Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.
Neutron server returns request_ids: ['req-a13edca8-7d55-4568-a94f-a6bd228923fc']

Revision history for this message
Na Zhu (nazhu) wrote :

In the file bgp_plugin.py, the function policy.check_is_admin() is called, I think should check the result of the function, if it is false, do not allow the operation and throw an error.

Changed in neutron:
assignee: nobody → Na Zhu (nazhu)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-dynamic-routing (master)

Fix proposed to branch: master
Review: https://review.openstack.org/319558

Changed in neutron:
status: New → In Progress
Revision history for this message
zhaobo (zhaobo6) wrote :

Hi, nazhu. I'm test on stable/mitaka, and I use the same with yours tenant demo. I found something strange in your bug description, why you can create speaker with tenant demo, you can list speakers but cannot show them.. I use devstack with mitaka/stable, but I can not create speaker with tenant demo normally which I didn't change anything towards it.
[root@localhost devstack]# neutron bgp-speaker-create test --local-as 767 --ip-version 4
rule:create_bgp_speaker on {u'name': u'test', 'tenant_id': u'7c1422d232944a46acc240c1b15fa613', u'local_as': u'767', u'ip_version': 4, 'advertise_floating_ip_host_routes': True, 'advertise_tenant_networks': True} by {'domain': None, 'project_name': u'demo', 'tenant_name': u'demo', 'project_domain': None, 'timestamp': '2016-05-23 03:10:36.736283', 'auth_token': '6bfab3ddab474097b9e02dfd0c51f037', 'resource_uuid': None, 'is_admin': False, 'user': u'8583ba1f36e24acdb2660f9f991f6d38', 'tenant': u'7c1422d232944a46acc240c1b15fa613', 'read_only': False, 'project_id': u'7c1422d232944a46acc240c1b15fa613', 'user_id': u'8583ba1f36e24acdb2660f9f991f6d38', 'show_deleted': False, 'roles': [u'Member', u'anotherrole'], 'user_identity': '8583ba1f36e24acdb2660f9f991f6d38 7c1422d232944a46acc240c1b15fa613 - - -', 'tenant_id': u'7c1422d232944a46acc240c1b15fa613', 'request_id': 'req-775b7afa-193d-4674-a7f8-6045174d87a2', 'user_domain': None, 'user_name': u'demo'} disallowed by policy
Neutron server returns request_ids: ['req-775b7afa-193d-4674-a7f8-6045174d87a2']

Changed in neutron:
assignee: Na Zhu (nazhu) → Ryan Tidwell (ryan-tidwell)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-dynamic-routing (master)

Reviewed: https://review.openstack.org/319558
Committed: https://git.openstack.org/cgit/openstack/neutron-dynamic-routing/commit/?id=62cb5c418442adc71469d74106839ad041b940ff
Submitter: Jenkins
Branch: master

commit 62cb5c418442adc71469d74106839ad041b940ff
Author: Na <email address hidden>
Date: Sat May 21 05:49:50 2016 -0700

    Fix the policy check for BGP APIs

    Only admin can configure BGP, this patch add policy check
    for BGP APIs.

    Change-Id: I5ce602202c52542792cc5b22e58e0ed074e09d7d
    Closes-Bug: #1583958

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-dynamic-routing (master)

Fix proposed to branch: master
Review: https://review.openstack.org/341207

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron-dynamic-routing (master)

Change abandoned by fumihiko kakuma (<email address hidden>) on branch: master
Review: https://review.openstack.org/341207
Reason: This is a duplicate of https://review.openstack.org/#/c/333668.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron-dynamic-routing 9.0.0.0b2

This issue was fixed in the openstack/neutron-dynamic-routing 9.0.0.0b2 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers