rbac-create should return an duplicated error when use same 'object_id','object_type' and 'target_tenant'

Bug #1597233 reported by JianGang Weng on 2016-06-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Undecided
rajiv

Bug Description

RBAC entry should be unique by combination of 'object_id','object_type' and 'target_tenant'.
But in fact, if we only change the 'action' value, we can get another entry with same 'object_id','object_type' and 'target_tenant'.

the process is:

[root@localhost devstack]# neutron rbac-create a539e28b-5e6c-4436-b44f-e1f966b6a6a4 --type network --target_tenant tenant_id --action access_as_shared
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | 0897f09b-1799-416e-9b5d-99d0e153a1b1 |
| object_id | a539e28b-5e6c-4436-b44f-e1f966b6a6a4 |
| object_type | network |
| target_tenant | tenant_id |
| tenant_id | aced7a29bb134dec82307a880d1cc542 |
+---------------+--------------------------------------+
[root@localhost devstack]# neutron rbac-create a539e28b-5e6c-4436-b44f-e1f966b6a6a4 --type network --target_tenant tenant_id --action access_as_external
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_external |
| id | 2c12609e-7878-4161-b533-17b6413bcf0b |
| object_id | a539e28b-5e6c-4436-b44f-e1f966b6a6a4 |
| object_type | network |
| target_tenant | tenant_id |
| tenant_id | aced7a29bb134dec82307a880d1cc542 |
+---------------+--------------------------------------+
[root@localhost devstack]#

Changed in neutron:
assignee: nobody → JianGang Weng (weng-jiangang)

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee: JianGang Weng (weng-jiangang) → nobody
status: New → Incomplete
tags: added: access-control
tags: added: low-hanging-fruit
rajiv (rajiv-kumar) on 2017-02-10
Changed in neutron:
assignee: nobody → rajiv (rajiv-kumar)
Reedip (reedip-banerjee) wrote :

Question : If the access types are different, then why should it be duplicated ?

songminglong (songminglong) wrote :

I can not get his means, and you could add some validations in client if really want to do that

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers