python-neutronclient

filters broken for rbac policy retrieval

Bug #1517818 reported by zhaobo
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Kevin Benton
python-neutronclient
Fix Released
High
Kevin Benton
python-neutronclient 4.0.0
Liberty
Fix Released
High
Unassigned
python-neutronclient 3.1.1

Bug Description

I leave a policy in rbac. This policy is created by admin user . I stay in use the same user. And now I can use neutron rbac-update [any values] , then it will return error.

repro
--------------
neutron rbac-list
+--------------------------------------+--------------------------------------+
| id | object_id |
+--------------------------------------+--------------------------------------+
| d14a977d-c19f-4bf5-abe1-d5820456385e | a80d09eb-9ef2-47a4-baac-90133894366a |
+--------------------------------------+--------------------------------------+

neutron rbac-update 2222222
---------------------------------------------------------------------------------
Conflict: RBAC policy on object a80d09eb-9ef2-47a4-baac-90133894366a cannot be removed because other objects depend on it.
Details: Callback neutron.plugins.ml2.plugin.Ml2Plugin.validate_network_rbac_policy_change failed with "Unable to reconfigure sharing settings for network a80d09eb-9ef2-47a4-baac-90133894366a. Multiple tenants are using it."
log
---------------
2015-11-19 10:05:43.024 ERROR neutron.callbacks.manager [req-99ef207b-7422-4bb7-a257-4c7ee00ee114 admin 5d73438ed76a4399b8d2996a699146c5] Error during notification for neutron.plugins.ml2.plugin.Ml2Plugin.validate_network_rbac_policy_change rbac-policy, before_update
2015-11-19 10:05:43.024 TRACE neutron.callbacks.manager Traceback (most recent call last):
2015-11-19 10:05:43.024 TRACE neutron.callbacks.manager File "/opt/stack/neutron/neutron/callbacks/manager.py", line 141, in _notify_loop
2015-11-19 10:05:43.024 TRACE neutron.callbacks.manager callback(resource, event, trigger, **kwargs)
2015-11-19 10:05:43.024 TRACE neutron.callbacks.manager File "/opt/stack/neutron/neutron/db/db_base_plugin_v2.py", line 142, in validate_network_rbac_policy_change
2015-11-19 10:05:43.024 TRACE neutron.callbacks.manager tenant_to_check = None
2015-11-19 10:05:43.024 TRACE neutron.callbacks.manager File "/opt/stack/neutron/neutron/db/db_base_plugin_v2.py", line 190, in ensure_no_tenant_ports_on_network
2015-11-19 10:05:43.024 TRACE neutron.callbacks.manager raise n_exc.InvalidSharedSetting(network=network_id)
2015-11-19 10:05:43.024 TRACE neutron.callbacks.manager InvalidSharedSetting: Unable to reconfigure sharing settings for network a80d09eb-9ef2-47a4-baac-90133894366a. Multiple tenants are using it.
2015-11-19 10:05:43.024 TRACE neutron.callbacks.manager

zhaobo (zhaobo6)
Changed in neutron:
assignee: nobody → zhaobo (zhaobo6)
Gary Kotton (garyk)
tags: added: api rbac
Revision history for this message
Kevin Benton (kevinbenton) wrote :

This is a combination of bugs. Neutronclient is trying to lookup using the 'name' field which doesn't exist on policies. But even if it were using the correct 'id' field, filtering is broken for UnionModels which RBAC depends on.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-neutronclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/248025

Changed in python-neutronclient:
assignee: nobody → Kevin Benton (kevinbenton)
status: New → In Progress
Armando Migliaccio (armando-migliaccio)
tags: added: access-control
removed: rbac
Gary Kotton (garyk)
tags: added: rbac
Gary Kotton (garyk)
tags: removed: rbac
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-neutronclient (master)

Reviewed: https://review.openstack.org/248025
Committed: https://git.openstack.org/cgit/openstack/python-neutronclient/commit/?id=529d3f5a3c8d71df23d795275f01ec4a4aca994b
Submitter: Jenkins
Branch: master

commit 529d3f5a3c8d71df23d795275f01ec4a4aca994b
Author: Kevin Benton <email address hidden>
Date: Thu Nov 19 21:27:05 2015 -0800

    Do not allow name lookups on RBAC policies

    RBAC policies have no name field so the name query to
    the server was always returning all entries since the
    name filter was ignored.

    This corrects the behavior by disabling the name lookup
    for RBAC policies.

    Change-Id: I6c5afa05cefb1709e9667a1aaf20105c707dc95c
    Closes-Bug: #1517818

Changed in python-neutronclient:
status: In Progress → Fix Committed
OpenStack Infra (hudson-openstack)
Changed in neutron:
assignee: zhaobo (zhaobo6) → Kevin Benton (kevinbenton)
status: New → In Progress
Kevin Benton (kevinbenton)
summary: - update rbac policy with any input when there is only 1 policy in system
+ filters broken for rbac policy retrieval
Changed in neutron:
importance: Undecided → High
Changed in python-neutronclient:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/250124

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.openstack.org/248024
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=35beca53277d187af0ade05466e81699c6575b07
Submitter: Jenkins
Branch: master

commit 35beca53277d187af0ade05466e81699c6575b07
Author: Kevin Benton <email address hidden>
Date: Thu Nov 19 21:16:42 2015 -0800

    Add UnionModel support to filter query generator

    The _apply_filters_to_query method did not handle UnionModels
    so objects leveraging it (i.e. RBAC policies) did not have
    queries applied to them.

    This patch corrects it by iterating through the component models
    of the UnionModel and applying the filters to each component model.
    It also adds an API test on RBAC that exercises the filtering.

    Change-Id: I449acf359dd61189bbdacd200d7c41a4a88d3de8
    Closes-Bug: #1517818

Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/liberty)

Reviewed: https://review.openstack.org/250124
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8c09277728ab52c0733aaac8e0255e0240b460e7
Submitter: Jenkins
Branch: stable/liberty

commit 8c09277728ab52c0733aaac8e0255e0240b460e7
Author: Kevin Benton <email address hidden>
Date: Thu Nov 19 21:16:42 2015 -0800

    Add UnionModel support to filter query generator

    The _apply_filters_to_query method did not handle UnionModels
    so objects leveraging it (i.e. RBAC policies) did not have
    queries applied to them.

    This patch corrects it by iterating through the component models
    of the UnionModel and applying the filters to each component model.
    It also adds an API test on RBAC that exercises the filtering.

    Change-Id: I449acf359dd61189bbdacd200d7c41a4a88d3de8
    Closes-Bug: #1517818
    (cherry-picked from 35beca53277d187af0ade05466e81699c6575b07)

tags: added: in-stable-liberty
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-neutronclient (stable/liberty)

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/252539

Akihiro Motoki (amotoki)
Changed in python-neutronclient:
milestone: none → 4.0.0
Revision history for this message
Thierry Carrez (ttx) wrote : Fix included in openstack/neutron 8.0.0.0b1

This issue was fixed in the openstack/neutron 8.0.0.0b1 development milestone.

Doug Hellmann (doug-hellmann)
Changed in neutron:
status: Fix Committed → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/neutron 7.0.1

This issue was fixed in the openstack/neutron 7.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-neutronclient (stable/liberty)

Reviewed: https://review.openstack.org/252539
Committed: https://git.openstack.org/cgit/openstack/python-neutronclient/commit/?id=67d1b49ef22d88e1c052a1b9170bc0b5492ab22d
Submitter: Jenkins
Branch: stable/liberty

commit 67d1b49ef22d88e1c052a1b9170bc0b5492ab22d
Author: Kevin Benton <email address hidden>
Date: Thu Nov 19 21:27:05 2015 -0800

    Do not allow name lookups on RBAC policies

    RBAC policies have no name field so the name query to
    the server was always returning all entries since the
    name filter was ignored.

    This corrects the behavior by disabling the name lookup
    for RBAC policies.

    Change-Id: I6c5afa05cefb1709e9667a1aaf20105c707dc95c
    Closes-Bug: #1517818
    (cherry picked from commit 529d3f5a3c8d71df23d795275f01ec4a4aca994b)

Akihiro Motoki (amotoki)
Changed in python-neutronclient:
status: Fix Committed → Fix Released
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/python-neutronclient 4.0.0

This issue was fixed in the openstack/python-neutronclient 4.0.0 release.

Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/python-neutronclient 3.1.1

This issue was fixed in the openstack/python-neutronclient 3.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

This issue was fixed in the openstack/python-neutronclient 3.1.1 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.