CLI arguments for rbac create are misleading and possibly incorrect
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
In Progress
|
Medium
|
Slawek Kaplonski | ||
python-openstackclient |
Opinion
|
Undecided
|
Slawek Kaplonski |
Bug Description
On a yoga install of openstack, I can run the following command as user with member role in projectA which is in domain DOM:
openstack network rbac create --target-project projectB --target-
The user doesn't have any role for project projectB but can successfully create an rbac for it. However, when I see the fields of the rbac, I see:
| target_project_id | projectB |
The RBAC then fails to work as expected, because this is not an ID. If, instead, I create the rbac using an explicit ID of the project, then the RBAC behaves as expected.
From what I understand, the user cannot see "projectB" so there is no way for the CLI to lookup its ID. However, I would expect the CLI in this case to reply:
"Cannot create rbac from name without permissions to list projects. Please use an ID instead"
I note that if use a user who is allowed to list projects, then when I create an rbac, the ID of the project appears in the fields of the rbac.
This bug is somewhat related to https:/
affects: | neutron → python-openstackclient |
tags: | added: rbac |
Changed in neutron: | |
status: | New → Triaged |
Changed in python-openstackclient: | |
status: | New → Confirmed |
Changed in neutron: | |
importance: | Undecided → Medium |
Changed in neutron: | |
assignee: | nobody → Slawek Kaplonski (slaweq) |
Changed in python-openstackclient: | |
assignee: | nobody → Slawek Kaplonski (slaweq) |
Thank you for your report!
I was able to reproduce this problem on current master, specifically:
neutron cdb644574a
keystone 7a6e1a0bd
$ openstack --version
openstack 6.7.0
It seems to me we need to have a two-part fix:
(a) neutron should reject invalid target_tenants in requests like this:
REQ: curl -g -i -X POST http:// 192.168. 122.198: 9696/networking /v2.0/rbac- policies -H "Content-Type: application/json" -H "User-Agent: openstacksdk/3.1.1 keystoneauth1/5.6.0 python- requests/ 2.31.0 CPython/3.10.12" -H "X-Auth-Token: {SHA256} b43d4dd4226c30c 63e30d1bc856122 73c6e47554432df a5dc" -d '{"rbac_policy": {"action": "access_as_shared", "object_type": "security_group", "object_id": "ac30c9b6- f419-4774- 9521-cd6da3ebd5 11", "target_tenant": "nonsuch"}}' 192.168. 122.198: 9696 "POST /networking/ v2.0/rbac- policies HTTP/1.1" 201 306 Request- Id: req-666e325c- 5107-48a0- 89ec-5271705396 6d 8199-468f- aa4e-77d6fd8c55 39", "project_id": "11b2e9eba77948 d987192915ef028 222", "action": "access_as_shared", "object_id": "ac30c9b6- f419-4774- 9521-cd6da3ebd5 11", "target_tenant": "nonsuch", "obj d987192915ef028 222"}}
4f7791206ff9b5f
http://
RESP: [201] Connection: keep-alive Content-Length: 306 Content-Type: application/json Date: Wed, 15 May 2024 13:52:05 GMT X-Openstack-
RESP BODY: {"rbac_policy": {"id": "4a22d7d0-
ect_type": "security_group", "tenant_id": "11b2e9eba77948
(b) openstackclient should reject target tenant names it cannot resolve to a uuid, particularly it should properly handle 403 errors:
GET call to identity for http:// 192.168. 122.198/ identity/ v3/projects/ nonsuch used request id req-32737285- 3931-4f65- 91fa-240bd303a8 cd 192.168. 122.198/ identity/ v3/projects? domain_ id=default& name=nonsuch -H "Accept: application/json" -H "User-Agent: python- keystoneclient" -H "X-Auth-Token: {SHA256} 4f7791206ff9b5f b43d4dd4226c30c 63e30d1bc856122 7 192.168. 122.198: 80 "GET /identity/ v3/projects? domain_ id=default& name=nonsuch HTTP/1.1" 403 135 request- id: req-5d6732b9- f4b3-47f5- b447-cca24a624b 49 :{"code" :403,"message" :"You are not authorized to perform the requested action: identity: list_projects. ","title" :"Forbidden" }}
Request returned failure status: 403
REQ: curl -g -i -X GET http://
3c6e47554432dfa5dc"
Resetting dropped connection: 192.168.122.198
http://
RESP: [403] Connection: close Content-Length: 135 Content-Type: application/json Date: Wed, 15 May 2024 13:52:05 GMT Server: Apache/2.4.52 (Ubuntu) Vary: X-Auth-Token x-openstack-
RESP BODY: {"error"
GET call to identity for http:// 192.168. 122.198/ identity/ v3/projects? domain_ id=default& name=nonsuch used request id req-5d6732b9- f4b3-47f5- b447-cca24a624b 49 192.168. 122.198/ identity/ v3/projects? -H "Accept: application/json" -H "User-Agent: python- keystoneclient" -H "X-Auth-Token: {SHA256} 4f7791206ff9b5f b43d4dd4226c30c 63e30d1bc856122 73c6e47554432df a5dc" 192.168. 122.198: 80 "GET /identity/ v3/projects HTTP/1.1" 403 135 request- id: req-428d741f-8b...
Request returned failure status: 403
REQ: curl -g -i -X GET http://
Resetting dropped connection: 192.168.122.198
http://
RESP: [403] Connection: close Content-Length: 135 Content-Type: application/json Date: Wed, 15 May 2024 13:52:05 GMT Server: Apache/2.4.52 (Ubuntu) Vary: X-Auth-Token x-openstack-