neutron

rbac-create should return an duplicated error when use same 'object_id','object_type' and 'target_tenant'

Bug #1597233 reported by JianGang Weng
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Won't Fix
Undecided
rajiv

Bug Description

RBAC entry should be unique by combination of 'object_id','object_type' and 'target_tenant'.
But in fact, if we only change the 'action' value, we can get another entry with same 'object_id','object_type' and 'target_tenant'.

the process is:

[root@localhost devstack]# neutron rbac-create a539e28b-5e6c-4436-b44f-e1f966b6a6a4 --type network --target_tenant tenant_id --action access_as_shared
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | 0897f09b-1799-416e-9b5d-99d0e153a1b1 |
| object_id | a539e28b-5e6c-4436-b44f-e1f966b6a6a4 |
| object_type | network |
| target_tenant | tenant_id |
| tenant_id | aced7a29bb134dec82307a880d1cc542 |
+---------------+--------------------------------------+
[root@localhost devstack]# neutron rbac-create a539e28b-5e6c-4436-b44f-e1f966b6a6a4 --type network --target_tenant tenant_id --action access_as_external
Created a new rbac_policy:
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_external |
| id | 2c12609e-7878-4161-b533-17b6413bcf0b |
| object_id | a539e28b-5e6c-4436-b44f-e1f966b6a6a4 |
| object_type | network |
| target_tenant | tenant_id |
| tenant_id | aced7a29bb134dec82307a880d1cc542 |
+---------------+--------------------------------------+
[root@localhost devstack]#

JianGang Weng (weng-jiangang)
Changed in neutron:
assignee: nobody → JianGang Weng (weng-jiangang)
Revision history for this message
Armando Migliaccio (armando-migliaccio) wrote :

This bug is > 180 days without activity. We are unsetting assignee and milestone and setting status to Incomplete in order to allow its expiry in 60 days.

If the bug is still valid, then update the bug status.

Changed in neutron:
assignee: JianGang Weng (weng-jiangang) → nobody
status: New → Incomplete
Armando Migliaccio (armando-migliaccio)
tags: added: access-control
tags: added: low-hanging-fruit
rajiv (rajiv-kumar)
Changed in neutron:
assignee: nobody → rajiv (rajiv-kumar)
Revision history for this message
Reedip (reedip-banerjee-deactivatedaccount) wrote :

Question : If the access types are different, then why should it be duplicated ?

Revision history for this message
songminglong (songminglong) wrote :

I can not get his means, and you could add some validations in client if really want to do that

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

Bug closed due to lack of activity, please feel free to reopen if needed.

Changed in neutron:
status: Incomplete → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.