neutron

address pair not working with oslo policy http check

Bug #2069071 reported by Rico Lin on 2024-06-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Invalid	Undecided	Rodolfo Alonso

Bug Description

With policy.json added which http://127.0.0.1:8181/enforce is a remote policy enforcer
{
"create_port:allowed_address_pairs": "http://127.0.0.1:8181/enforce"
}

I can't create address pair anymore
ubuntu@instance:~$ openstack port create --network private3 --allowed-address mac-address=fa:16:3e:60:10:da,ip-address=192.168.4.65 port4
HttpException: 500: Server Error for url: http://192.168.1.130:9696/networking/v2.0/ports, Request Failed: internal server error while processing your request.
That failed either oslo.policy/remote_content_type set to application/x-www-form-urlencoded or application/json

Traceback for application/json
```
DEBUG neutron.pecan_wsgi.hooks.quota_enforcement [None req-5272d867-a800-44a6-853c-edc6ada92b16 demo admin] Made reservation on behalf of 9e88a8269ab2478e949a25e9643284b1 for: {'port': 1} {{(pid=995401) before /opt/stack/neutron/neutron/pecan_wsgi/hooks/quota_enforcement.py:53}}
ERROR neutron.pecan_wsgi.hooks.translation [None req-5272d867-a800-44a6-853c-edc6ada92b16 demo admin] POST failed.: TypeError: Object of type Sentinel is not JSON serializable
ERROR neutron.pecan_wsgi.hooks.translation Traceback (most recent call last):
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/pecan/core.py", line 681, in __call__
ERROR neutron.pecan_wsgi.hooks.translation controller, args, kwargs = self.find_controller(state)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/pecan/core.py", line 859, in find_controller
ERROR neutron.pecan_wsgi.hooks.translation controller, args, kw = super(Pecan, self).find_controller(_state)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/pecan/core.py", line 549, in find_controller
ERROR neutron.pecan_wsgi.hooks.translation self.handle_hooks(self.determine_hooks(controller), 'before', state)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/pecan/core.py", line 866, in handle_hooks
ERROR neutron.pecan_wsgi.hooks.translation return super(Pecan, self).handle_hooks(hooks, *args, **kw)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/pecan/core.py", line 331, in handle_hooks
ERROR neutron.pecan_wsgi.hooks.translation result = getattr(hook, hook_type)(*args)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/pecan_wsgi/hooks/policy_enforcement.py", line 133, in before
ERROR neutron.pecan_wsgi.hooks.translation policy.enforce(
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 525, in enforce
ERROR neutron.pecan_wsgi.hooks.translation result = _ENFORCER.enforce(rule, target, context, action=action,
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/policy.py", line 1054, in enforce
ERROR neutron.pecan_wsgi.hooks.translation result = _checks._check(
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 80, in _check
ERROR neutron.pecan_wsgi.hooks.translation return rule(*rule_args)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 178, in __call__
ERROR neutron.pecan_wsgi.hooks.translation if not _check(rule, target, cred, enforcer, current_rule):
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 80, in _check
ERROR neutron.pecan_wsgi.hooks.translation return rule(*rule_args)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 178, in __call__
ERROR neutron.pecan_wsgi.hooks.translation if not _check(rule, target, cred, enforcer, current_rule):
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 80, in _check
ERROR neutron.pecan_wsgi.hooks.translation return rule(*rule_args)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 257, in __call__
ERROR neutron.pecan_wsgi.hooks.translation return _check(
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 80, in _check
ERROR neutron.pecan_wsgi.hooks.translation return rule(*rule_args)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_external.py", line 40, in __call__
ERROR neutron.pecan_wsgi.hooks.translation requests.post(url, json=json, data=data)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/requests/api.py", line 115, in post
ERROR neutron.pecan_wsgi.hooks.translation return request("post", url, data=data, json=json, **kwargs)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/requests/api.py", line 59, in request
ERROR neutron.pecan_wsgi.hooks.translation return session.request(method=method, url=url, **kwargs)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/requests/sessions.py", line 575, in request
ERROR neutron.pecan_wsgi.hooks.translation prep = self.prepare_request(req)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/requests/sessions.py", line 486, in prepare_request
ERROR neutron.pecan_wsgi.hooks.translation p.prepare(
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/requests/models.py", line 371, in prepare
ERROR neutron.pecan_wsgi.hooks.translation self.prepare_body(data, files, json)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/requests/models.py", line 511, in prepare_body
ERROR neutron.pecan_wsgi.hooks.translation body = complexjson.dumps(json, allow_nan=False)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/simplejson/__init__.py", line 378, in dumps
ERROR neutron.pecan_wsgi.hooks.translation return _default_encoder.encode(obj)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/simplejson/encoder.py", line 298, in encode
ERROR neutron.pecan_wsgi.hooks.translation chunks = self.iterencode(o)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/simplejson/encoder.py", line 379, in iterencode
ERROR neutron.pecan_wsgi.hooks.translation return _iterencode(o, 0)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/simplejson/encoder.py", line 274, in default
ERROR neutron.pecan_wsgi.hooks.translation raise TypeError('Object of type %s is not JSON serializable' %
ERROR neutron.pecan_wsgi.hooks.translation TypeError: Object of type Sentinel is not JSON serializable
ERROR neutron.pecan_wsgi.hooks.translation
DEBUG neutron.pecan_wsgi.hooks.notifier [None req-5272d867-a800-44a6-853c-edc6ada92b16 demo admin] No notification will be sent due to unsuccessful status code: 500 {{(pid=995401) after /opt/stack/neutron/neutron/pecan_wsgi/hooks/notifier.py:78}}

```

and for application/x-www-form-urlencoded
```
DEBUG neutron.api.v2.base [None req-5bb52e89-30d6-4850-a3cd-305ab0acb663 demo admin] Request body: {'port': {'name': 'port4', 'allowed_address_pairs': [{'ip_address': '192.168.4.65', 'mac_address': 'fa:16:3e:60:10:da'}], 'admin_state_up': True, 'network_id': '7a588a17-fdd9-4f94-8f2e-eb650b8da39e'}} {{(pid=997437) prepare_request_body /opt/stack/neutron/neutron/api/v2/base.py:734}}
DEBUG neutron.pecan_wsgi.hooks.quota_enforcement [None req-5bb52e89-30d6-4850-a3cd-305ab0acb663 demo admin] Made reservation on behalf of 9e88a8269ab2478e949a25e9643284b1 for: {'port': 1} {{(pid=997437) before /opt/stack/neutron/neutron/pecan_wsgi/hooks/quota_enforcement.py:53}}
ERROR neutron.pecan_wsgi.hooks.translation [None req-5bb52e89-30d6-4850-a3cd-305ab0acb663 demo admin] POST failed.: ValueError: Cannot convert <neutron_lib.constants.Sentinel object at 0x7fa53cc42b00> to primitive
ERROR neutron.pecan_wsgi.hooks.translation Traceback (most recent call last):
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/pecan/core.py", line 681, in __call__
ERROR neutron.pecan_wsgi.hooks.translation controller, args, kwargs = self.find_controller(state)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/pecan/core.py", line 859, in find_controller
ERROR neutron.pecan_wsgi.hooks.translation controller, args, kw = super(Pecan, self).find_controller(_state)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/pecan/core.py", line 549, in find_controller
ERROR neutron.pecan_wsgi.hooks.translation self.handle_hooks(self.determine_hooks(controller), 'before', state)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/pecan/core.py", line 866, in handle_hooks
ERROR neutron.pecan_wsgi.hooks.translation return super(Pecan, self).handle_hooks(hooks, *args, **kw)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/pecan/core.py", line 331, in handle_hooks
ERROR neutron.pecan_wsgi.hooks.translation result = getattr(hook, hook_type)(*args)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/pecan_wsgi/hooks/policy_enforcement.py", line 133, in before
ERROR neutron.pecan_wsgi.hooks.translation policy.enforce(
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/neutron/neutron/policy.py", line 525, in enforce
ERROR neutron.pecan_wsgi.hooks.translation result = _ENFORCER.enforce(rule, target, context, action=action,
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/policy.py", line 1054, in enforce
ERROR neutron.pecan_wsgi.hooks.translation result = _checks._check(
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 80, in _check
ERROR neutron.pecan_wsgi.hooks.translation return rule(*rule_args)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 178, in __call__
ERROR neutron.pecan_wsgi.hooks.translation if not _check(rule, target, cred, enforcer, current_rule):
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 80, in _check
ERROR neutron.pecan_wsgi.hooks.translation return rule(*rule_args)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 178, in __call__
ERROR neutron.pecan_wsgi.hooks.translation if not _check(rule, target, cred, enforcer, current_rule):
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 80, in _check
ERROR neutron.pecan_wsgi.hooks.translation return rule(*rule_args)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 257, in __call__
ERROR neutron.pecan_wsgi.hooks.translation return _check(
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_checks.py", line 80, in _check
ERROR neutron.pecan_wsgi.hooks.translation return rule(*rule_args)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_external.py", line 37, in __call__
ERROR neutron.pecan_wsgi.hooks.translation data, json = self._construct_payload(creds, current_rule,
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_policy/_external.py", line 58, in _construct_payload
ERROR neutron.pecan_wsgi.hooks.translation 'target': jsonutils.dumps(temp_target),
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_serialization/jsonutils.py", line 198, in dumps
ERROR neutron.pecan_wsgi.hooks.translation return json.dumps(obj, default=default, **kwargs)
ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python3.10/json/__init__.py", line 238, in dumps
ERROR neutron.pecan_wsgi.hooks.translation **kw).encode(obj)
ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python3.10/json/encoder.py", line 199, in encode
ERROR neutron.pecan_wsgi.hooks.translation chunks = self.iterencode(o, _one_shot=True)
ERROR neutron.pecan_wsgi.hooks.translation File "/usr/lib/python3.10/json/encoder.py", line 257, in iterencode
ERROR neutron.pecan_wsgi.hooks.translation return _iterencode(o, 0)
ERROR neutron.pecan_wsgi.hooks.translation File "/opt/stack/data/venv/lib/python3.10/site-packages/oslo_serialization/jsonutils.py", line 176, in to_primitive
ERROR neutron.pecan_wsgi.hooks.translation raise ValueError("Cannot convert %r to primitive" % (value,))
ERROR neutron.pecan_wsgi.hooks.translation ValueError: Cannot convert <neutron_lib.constants.Sentinel object at 0x7fa53cc42b00> to primitive
ERROR neutron.pecan_wsgi.hooks.translation
DEBUG neutron.pecan_wsgi.hooks.notifier [None req-5bb52e89-30d6-4850-a3cd-305ab0acb663 demo admin] No notification will be sent due to unsuccessful status code: 500 {{(pid=997437) after /opt/stack/neutron/neutron/pecan_wsgi/hooks/notifier.py:78}}
INFO neutron.wsgi [None req-5bb52e89-30d6-4850-a3cd-305ab0acb663 demo admin] 192.168.1.130 "POST /networking/v2.0/ports HTTP/1.1" status: 500 len: 368 time: 0.0521467

```

Revision history for this message

Oleg Bondarev (obondarev) wrote on 2024-06-13:

Hi, looks like some formatting issue in your policy json. Does it work without adding a rule for allowed_address_pairs? Which doc did you follow for a remote policy enforcer? Please paste you entire policy.json

Changed in neutron:
status:	New → Incomplete

Rodolfo Alonso (rodolfo-alonso-hernandez) on 2024-06-19

Changed in neutron:
assignee:	nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)

Revision history for this message

Rodolfo Alonso (rodolfo-alonso-hernandez) wrote on 2024-06-19:

Hello Rico:

Please check https://docs.openstack.org/security-guide/identity/policies.html. This kind of remote policy enforcer is not allowed in the Neutron policies. You can use a rule defined in neutron.conf.policies.base or create your own following the examples you have in the code (filter by user, by field, etc).

Regards.

Changed in neutron:
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.