OpenStack SDK

Wrong DVR and HA properties reported to non-admin users

Bug #1689510 reported by Tom Verdaat
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack SDK
New
Undecided
Slawek Kaplonski
python-openstackclient
New
Undecided
Slawek Kaplonski

Bug Description

Our routers are HA-DVR by default. Executing "openstack router list" as user with admin privileges correctly returns Distributed=True, HA=True. The same command executed as a regular user returns Distributed=False, HA=False which is factually incorrect.

Seems to me that regular users are being misinformed about the properties of their routers. Is this by design or is it a bug? If it is by design, what reason would we have to lie to our users?

Revision history for this message
Assaf Muller (amuller) wrote :

Last time I tried using the neutron client, the server did not return the 'ha' and 'distributed' fields and the CLI did not list them. This may be a regression of the openstack CLI.

Revision history for this message
Tom Verdaat (tom-verdaat) wrote :

I guess it could be a regression, or a version incompatibility? These are the versions used when I encountered this behavior:

Neutron-server: Mitaka 8.4.0
Openstackclient: 3.9.0
Neutronclient: 6.1.0

Revision history for this message
Brian Haley (brian-haley) wrote :

I just tried this on master, 'openstack router show $router' for user and admin showed different results for distributed and ha fields.

The reason is that they are marked as admin-only in policy.json, probably to keep info about actual deployment information private.

Revision history for this message
Tom Verdaat (tom-verdaat) wrote :

Thanks for confirming Brian.

I can understand the reason. However, would it not make more sense to display the correct information by default? Operators could always, for security reasons, tighten the policy to admin-only.

Also, if you want to hide this from users then it would also make more sense to have the API not output these fields to regular users when the policy is admin-only in stead of knowingly providing wrong information.

Just my 2 cents as both an OpenStack operator and user.

Revision history for this message
Brian Haley (brian-haley) wrote :

So this is a bug in openstacksdk and/or python-openstackclient code, by default it is showing both "distributed" and "ha" values (with defaults to False), even if they are not in the JSON body returned from neutron-server. I don't know of an easy way to fix that by specifying not to show it in that case.

The python-neutronclient doesn't show the values unless they are in the JSON body, but of course it's being deprecated...

I'll re-assign and maybe someone else has a thought on how to fix it.

Changed in neutron:
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

I agreed with Brian here and I removed neutron from affected projects for now. This should be fixed on openstacksdk and openstackclient

Changed in python-openstacksdk:
assignee: nobody → Slawek Kaplonski (slaweq)
Changed in python-openstackclient:
assignee: nobody → Slawek Kaplonski (slaweq)
no longer affects: neutron
Revision history for this message
Slawek Kaplonski (slaweq) wrote :

Oh, and I proposed patches to fix it:
https://review.openstack.org/567606/ and https://review.openstack.org/567620

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

sdk and OSC are now using storyboard, you should create a story at http://storyboard.openstack.org/ instead.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/openstacksdk 0.14.0

This issue was fixed in the openstack/openstacksdk 0.14.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-openstackclient 3.18.0

This issue was fixed in the openstack/python-openstackclient 3.18.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-openstackclient 3.16.3

This issue was fixed in the openstack/python-openstackclient 3.16.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.