Backport fixes for Rename Network return 403 Error

Bug #1666827 reported by Frode Nordahl on 2017-02-22
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
High
Unassigned
Ubuntu Cloud Archive
High
Unassigned
Mitaka
High
Unassigned
horizon (Ubuntu)
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned

Bug Description

[Impact]
Non-admin users are not allowed to change the name of a network using the OpenStack Dashboard GUI

[Test Case]
1. Deploy trusty-mitaka or xenial-mitaka OpenStack Cloud
2. Create demo project
3. Create demo user
4. Log into OpenStack Dashboard using demo user
5. Go to Project -> Network and create a network
6. Go to Project -> Network and Edit the just created network
7. Change the name and click Save
8. Observe that your request is denied with an error message

[Regression Potential]
Minimal.

We are adding a patch already merged into upstream stable/mitaka for the horizon call to policy_check before sending request to Neutron when updating networks.

The addition of rule "update_network:shared" to horizon's copy of Neutron policy.json is our own due to upstream not willing to back-port this required change. This rule is not referenced anywhere else in the code base so it will not affect other policy_check calls.

Upstream bug: https://bugs.launchpad.net/horizon/+bug/1609467

Frode Nordahl (fnordahl) on 2017-02-22
tags: added: sts
description: updated
Frode Nordahl (fnordahl) on 2017-02-22
tags: added: openstack sts-sponsor
Frode Nordahl (fnordahl) wrote :

For the record, this bug is already fixed in Yakkety and Zesty. It is also already fixed in xenial-newton UCA.

Louis Bouchard (louis) on 2017-02-22
Changed in horizon (Ubuntu Yakkety):
status: New → Fix Released
Changed in horizon (Ubuntu Trusty):
status: New → Triaged
Changed in horizon (Ubuntu Xenial):
status: New → Triaged

The attachment "horizon-trusty-mitaka.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Changed in horizon (Ubuntu):
importance: Undecided → High
Changed in horizon (Ubuntu Trusty):
importance: Undecided → High
Changed in horizon (Ubuntu Xenial):
importance: Undecided → High
Changed in horizon (Ubuntu Yakkety):
importance: Undecided → High
Frode Nordahl (fnordahl) wrote :

FWIW, I just got the other patch landed upstream as well. So this bug might also be resolved by refreshing the Ubuntu horizon package from upstream stable/mitaka.

I do not know what will happen first, so leaving this open.

Corey Bryant (corey.bryant) wrote :

Thanks Frode. These patches seem reasonable for mitaka. 3dea56b7155237ac1323f6dfc6d4cb13981157f6 "Do not send shared param when not allowed" is in the 9.1.1 release that zul has in the mitaka review queue[0] right now. I've asked him if he can include your other patch as well.

[0] https://launchpad.net/ubuntu/xenial/+queue?queue_state=1&queue_text=

Corey Bryant (corey.bryant) wrote :

Does this still need to be targeted at trusty/icehouse?

Changed in cloud-archive:
status: New → Fix Released
importance: Undecided → High
Chuck Short (zulcss) wrote :

Theses patches made it into the stable/mitaka upload that I did yesterday.

-- chuck

Corey Bryant (corey.bryant) wrote :

Are you sure Chuck? I don't think d/p/fix-dashboard-change-network-name-policy.patch is upstream in stable/mitaka.

Frode Nordahl (fnordahl) wrote :

I had a look at the proposed pkg and it does not include the d/p/fix-dashboard-change-network-name-policy.patch. It has been accepted in upstream stable/mitaka but I guess it did not make it into the 9.1.1 stable release.

Added a updated patch to this bugreport which can be included directly with Chuck's proposed package.

You are right about that this bug is not relevant for Trusty/Icehouse. Updated accordingly.

Changed in horizon (Ubuntu Trusty):
status: Triaged → Invalid
Frode Nordahl (fnordahl) wrote :
Frode Nordahl (fnordahl) on 2017-03-10
Changed in horizon:
status: New → Fix Released
Frode Nordahl (fnordahl) wrote :

Added new debdiff towards Chucks proposed 9.1.1 deb.

Patch is in stable/mitaka but did not make it into the 9.1.1 tarball.

Frode Nordahl (fnordahl) wrote :

Upstream has released 9.1.2 that contains our patches: https://releases.openstack.org/mitaka/index.html#mitaka-horizon

We have decided to skip the SRU and wait for a refresh of our packages from the new upstream release. This should not be too far off.

tags: removed: sts-sponsor
Changed in horizon (Ubuntu Xenial):
status: Triaged → Fix Committed
Changed in horizon (Ubuntu):
status: New → Fix Committed
James Page (james-page) on 2017-03-22
Changed in horizon (Ubuntu Xenial):
status: Fix Committed → New
Changed in horizon (Ubuntu):
status: Fix Committed → Fix Released
Louis Bouchard (louis) on 2017-03-28
tags: added: sts-sru-needed
Changed in horizon:
importance: Undecided → High
milestone: none → pike-1
Michael Terry (mterry) wrote :

Based on comment #14, I'll drop the sponsor subscription, since it sounds like you don't want to SRU this.

James Page (james-page) on 2017-04-19
no longer affects: horizon (Ubuntu Trusty)
Changed in horizon (Ubuntu Xenial):
status: New → Triaged
James Page (james-page) wrote :

9.1.2 is covered under bug 1680098.

I'll leave this bug open until we have 9.1.2 in proposed and confirm that this is resolved.

Edward Hope-Morley (hopem) wrote :

The horizon 2:9.1.2-0ubuntu1~cloud0 point release has been uploaded to the Trusty Mitaka UCA [1] and will be available shortly so closing this bug.

[1] https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/1680098/comments/16

Changed in horizon (Ubuntu Xenial):
status: Triaged → Fix Released
Edward Hope-Morley (hopem) wrote :

And to be clear ^^ is already available in xenial-updates

tags: added: sts-sru-done
removed: sts-sru-needed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers