OpenContrail

SYMC: [RBAC] Net-list returning network it shouldn't

Bug #1543295 reported by Rudrajit Tapadar
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenContrail
New
Undecided
Unassigned

Bug Description

This is single node contrail setup with 2.21.1-15. In the example below, the owner of the "devnet" network is the service tenant, while the owner of the "demonet1" network is the demo tenant. The devnet network is also marked as "shared", but not sure if it is relevant. When I run the net-list command with the --tenant-id option, it works as expected in the admin context. However, in the Member context for the demo tenant and demo user, it is always returning the network from the tenant that the user is scoped to. This is an incorrect behavior, since the --tenant-id option should return only the network that is owned by the tenant that is passed as an argument. If the user is not supposed to read the tenant's objects by the RBAC logic, then it should return an empty list.

The behavior is correct and expected when the demo user is made an "admin" in the demo tenant. Please note, that by default the demo user has Member, netadmin and sysadmin roles in the demo tenant.

rudrajit_tapadar@os-cli-02f4:~$ . adminv3
rudrajit_tapadar@os-cli-02f4:~$ openstack project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 02802a1544384ac59bb2f1e018529e8f | demo |
| 5dbb22338f9c46388cd50fc2c40cad71 | invisible_to_admin |
| 919b90e909f1439694ddc7671023bc54 | admin |
| df1983beb83c41ff89a03b694e2aae1a | service |
+----------------------------------+--------------------+
rudrajit_tapadar@os-cli-02f4:~$ neutron net-list
+--------------------------------------+-------------------------+----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+-------------------------+----------------------------------------------------+
| b7e60a13-d91a-4bd8-a740-a43a7fc8b981 | fipsnet | |
| 7e3f88de-c753-4b63-9c15-0bf371e8c4e4 | __link_local__ | |
| 0bad6921-86e2-4dfe-adab-f338066b0821 | default-virtual-network | |
| 76765a07-2361-4d76-981f-dbbddef9a1fa | ip-fabric | |
| ef138496-077e-41b4-a342-4eaa34e93860 | devnet | 849761f6-71ac-496b-80d5-2bfddf2ac74d 10.10.10.0/24 |
| 18fad0f4-7aed-468d-9d77-4710aebb8bde | demonet1 | f5e1ce55-dc80-44d9-b33a-b82ab1b52fde 10.10.10.0/24 |
+--------------------------------------+-------------------------+----------------------------------------------------+
rudrajit_tapadar@os-cli-02f4:~$ neutron net-list --tenant-id df1983beb83c41ff89a03b694e2aae1a
+--------------------------------------+--------+----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+--------+----------------------------------------------------+
| ef138496-077e-41b4-a342-4eaa34e93860 | devnet | 849761f6-71ac-496b-80d5-2bfddf2ac74d 10.10.10.0/24 |
+--------------------------------------+--------+----------------------------------------------------+
rudrajit_tapadar@os-cli-02f4:~$ neutron net-list --tenant-id 02802a1544384ac59bb2f1e018529e8f
+--------------------------------------+----------+----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+----------+----------------------------------------------------+
| 18fad0f4-7aed-468d-9d77-4710aebb8bde | demonet1 | f5e1ce55-dc80-44d9-b33a-b82ab1b52fde 10.10.10.0/24 |
+--------------------------------------+----------+----------------------------------------------------+
rudrajit_tapadar@os-cli-02f4:~$ . unset
rudrajit_tapadar@os-cli-02f4:~$ . demov3
rudrajit_tapadar@os-cli-02f4:~$ neutron net-list --tenant-id 02802a1544384ac59bb2f1e018529e8f
+--------------------------------------+----------+----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+----------+----------------------------------------------------+
| 18fad0f4-7aed-468d-9d77-4710aebb8bde | demonet1 | f5e1ce55-dc80-44d9-b33a-b82ab1b52fde 10.10.10.0/24 |
+--------------------------------------+----------+----------------------------------------------------+
rudrajit_tapadar@os-cli-02f4:~$ neutron net-list --tenant-id df1983beb83c41ff89a03b694e2aae1a
+--------------------------------------+----------+----------------------------------------------------+
| id | name | subnets |
+--------------------------------------+----------+----------------------------------------------------+
| 18fad0f4-7aed-468d-9d77-4710aebb8bde | demonet1 | f5e1ce55-dc80-44d9-b33a-b82ab1b52fde 10.10.10.0/24 |
+--------------------------------------+----------+----------------------------------------------------+

Revision history for this message
Hampapur Ajay (hajay) wrote :

could you repeat the commands above with neutron --debug net-list with debug=True, verbose=True in /etc/neutron/neutron.conf and include output of /var/log/neutron/server.log for the specific get_network() API. The log will print API requested and its corresponding response.

Also does removing 'shared' on demonet1 make no network appear for demo user in demo project?

Revision history for this message
Rudrajit Tapadar (rtapadar) wrote :

Attaching server.log for the command that is misbehaving.

I removed the shared flag from the network, and the behavior didn't change.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.