python-ceilometerclient

Ceilometer alarm-threshold-update CLI does not support updating project-id, user-id and time-constraint fields of alarm but listed as valid options for alarm update.

Bug #1395932 reported by Putta Challa on 2014-11-24

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	python-ceilometerclient	Fix Released	Undecided	Jiri Suchomel	python-ceilometerclient 1.3.0 "1.3.0"

Bug Description

ceilometer alarm-threshold-update <alarm-id> --project-id <project-id> --user-id <user-id> --time-constraint <timeconstraint>

ceilometer help alarm-threshold-update
usage: ceilometer alarm-threshold-update [--name <NAME>]
                                         [--project-id <PROJECT_ID>]
                                         [--user-id <USER_ID>]
                                         [--description <DESCRIPTION>]
                                         [--state <STATE>]
                                         [--enabled {True|False}]
                                         [--alarm-action <Webhook URL>]
                                         [--ok-action <Webhook URL>]
                                         [--insufficient-data-action <Webhook URL>]
                                         [--time-constraint <Time Constraint>]
                                         [--remove-time-constraint <Constraint names>]
                                         [-m <METRIC>] [--period <PERIOD>]
                                         [--evaluation-periods <COUNT>]
                                         [--statistic <STATISTIC>]
                                         [--comparison-operator <OPERATOR>]
                                         [--threshold <THRESHOLD>]
                                         [-q <QUERY>]
                                         [--repeat-actions {True|False}]
                                         [<ALARM_ID>]

There are multiple issues with above CLI.

1) user provided options are not parsed and updated properly before they were sent to API call
2) Even if project-id/user-id/time-constraint are parsed and sent to alarms.py update() method, the following code will restrict them from making API call with correct values for project-id/user-id/time-constraint

UPDATABLE_ATTRIBUTES = [
    'name',
    'description',
    'type',
    'state',
    'enabled',
    'alarm_actions',
    'ok_actions',
    'insufficient_data_actions',
    'repeat_actions',
    'threshold_rule',
    'combination_rule'
]

def update(self, alarm_id, **kwargs):
        self._compat_legacy_alarm_kwargs(kwargs)
        alarm = self.get(alarm_id)
        if alarm is None:
            raise exc.CommandError('Alarm not found: %s' % alarm_id)
        updated = alarm.to_dict()
        updated['time_constraints'] = self._merge_time_constraints(
            updated.get('time_constraints', []), kwargs)
        kwargs = dict((k, v) for k, v in kwargs.items()
                      if k in updated and k in UPDATABLE_ATTRIBUTES)
        utils.merge_nested_dict(updated, kwargs, depth=1)
        return self._update(self._path(alarm_id), updated)

3. I can update the project-id.. params using curl but this should be restricted if CLI's restriction of project-id/user-id/timeconstraint update is valid.

curl -i -X PUT -H 'User-Agent: ceilometerclient.openstack.common.apiclient' -H 'Content-Type: application/json' -H 'X-Auth-Token: 7f42382808154545aabfda61779e6b87' -d '{"alarm_actions": [], "ok_actions": [], "name": "alarm1", "state": "insufficient data", "timestamp": "2014-11-20T17:02:21.661879", "enabled": true, "state_timestamp": "2014-11-20T17:02:21.661879", "threshold_rule":
{"meter_name": "image", "evaluation_periods": 1, "period": 60, "statistic": "avg", "threshold": 20.0, "query": [], "comparison_operator": "eq", "exclude_outliers": false}
, "alarm_id": "161b60ed-3e98-42b2-a92e-ffe7a410c78e", "time_constraints": [], "insufficient_data_actions": [], "repeat_actions": false, "user_id": "ea9817c1e4d2468daede7d586de4c8c6", "project_id": "5ffead616e7a494993c692aa11e1a989", "type": "threshold", "description": "test alarm created with project id"}' http://192.168.126.129:8777/v2/alarms/161b60ed-3e98-42b2-a92e-ffe7a410c78e
pchalla@ubuntu:~/devstack$ ceilometer alarm-show 161b60ed-3e98-42b2-a92e-ffe7a410c78e
---------------------------------------------------------------+
Property Value
---------------------------------------------------------------+
alarm_actions []
alarm_id 161b60ed-3e98-42b2-a92e-ffe7a410c78e
comparison_operator eq
description test alarm created with project id
enabled True
evaluation_periods 1
exclude_outliers False
insufficient_data_actions []
meter_name image
name alarm1
ok_actions []
period 60
project_id 5ffead616e7a494993c692aa11e1a989
query
repeat_actions False
state insufficient data
statistic avg
threshold 20.0
type threshold
user_id ea9817c1e4d2468daede7d586de4c8c6

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-11-25:

Was this intentionally marked as a private security vulnerability report? If not, it should be switched to a normal public bug so that the Ceilometer developers will be able to see it.

Putta Challa (puttachalla) on 2014-11-25

information type:

Private Security → Public

ZhiQiang Fan (aji-zqfan) on 2014-11-26

Changed in ceilometer:
assignee:	nobody → ZhiQiang Fan (aji-zqfan)
affects:	ceilometer → python-ceilometerclient
Changed in python-ceilometerclient:
status:	New → In Progress

Revision history for this message

ZhiQiang Fan (aji-zqfan) wrote on 2014-12-06:

the patch fixing for project_id is here: https://review.openstack.org/#/c/139659/

Revision history for this message

ZhiQiang Fan (aji-zqfan) wrote on 2014-12-07:

Sorry for the late response, We should discuss this openly, in bug report or dev mailing list

For now, I only observed project_id is wrongly parsed since it is shadowed by AuthPlugin, so I uploaded https://review.openstack.org/139659 to solve this issue

It seems even project_id/user_id can be parsed correctly, the alarm.update doesn't accept that field at all, which is wrong since we allow admin do such thing by design.

Please assign this bug to yourself if you're willing to fix it by yourself, If you need any help, you can contact us in IRC or mailing list.

Thanks

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-16: Fix proposed to python-ceilometerclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/174400

Changed in python-ceilometerclient:
assignee:	ZhiQiang Fan (aji-zqfan) → Jiri Suchomel (jsuchome)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-05-04: Fix merged to python-ceilometerclient (master)

Reviewed: https://review.openstack.org/174400
Committed: https://git.openstack.org/cgit/openstack/python-ceilometerclient/commit/?id=4de6e14357d9ec7940d6f18d9be1c419b5db1550
Submitter: Jenkins
Branch: master

commit 4de6e14357d9ec7940d6f18d9be1c419b5db1550
Author: Jiří Suchomel <email address hidden>
Date: Thu Apr 16 16:04:09 2015 +0200

Allow changing project-id and user-id by alarm-threshold-update

    Ceilometer alarm-threshold-update should support updating
    project-id and user-id, but the update function was silently
    ignoring changes of these options.

Change-Id: I33231bff44b90f3c58e5ef1646349b6dc63a3ce7
Closes-Bug: 1395932

Changed in python-ceilometerclient:
status:	In Progress → Fix Committed

Doug Hellmann (doug-hellmann) on 2015-06-24

Changed in python-ceilometerclient:
milestone:	none → 1.3.0
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.