networking-bgpvpn

a tenant cannot list/show/delete its net-assocs resources

Bug #1512789 reported by Mathieu Rohon on 2015-11-03

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	networking-bgpvpn	Fix Released	High	Mathieu Rohon	networking-bgpvpn 3.0.0

Bug Description

after attaching a network to one of its bgpvpn, a tenant cannot access its net-assocs sub-resources :

#neutron bgpvpn-net-assoc-create --network e560b230-646e-4b05-94e4-c96a199d3f45 0a83d793-63e4-42df-a918-1136bd09abf8
Created a new network_association:
+------------+--------------------------------------+
| Field | Value |
+------------+--------------------------------------+
| id | 7c605864-6ffb-4614-9fec-faf4c0d19814 |
| network_id | e560b230-646e-4b05-94e4-c96a199d3f45 |
+------------+--------------------------------------+

#neutron bgpvpn-net-assoc-list 0a83d793-63e4-42df-a918-1136bd09abf8
Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found

#neutron bgpvpn-net-assoc-show 7c605864-6ffb-4614-9fec-faf4c0d19814 0a83d793-63e4-42df-a918-1136bd09abf8
Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found

Mathieu Rohon (mathieu-rohon) on 2015-11-03

Changed in bgpvpn:
importance:	Undecided → High

Revision history for this message

Mathieu Rohon (mathieu-rohon) wrote on 2015-11-03:

Download full text (6.2 KiB)

her is the traceback on the server :

2015-11-03 16:51:57.514 DEBUG keystoneclient.session [-] RESP: [200] content-length: 1711 x-subject-token: {SHA1}036bbd43fff5e692b232b30702d8ff1ae8232dc5 vary: X-Auth-Token keep-alive: timeout=5, max=97 server: Apache/2.4.10 (Debian) connection: Keep-Alive date: Tue, 03 Nov 2015 16:51:57 GMT content-type: application/json x-openstack-request-id: req-54677bf4-79ec-4d2d-8478-3ba97d1a7993
RESP BODY: {"token": {"methods": ["password", "token"], "roles": [{"id": "31b9604410434a92a79368fde8b67b7f", "name": "Member"}, {"id": "3f094719ebbe4bd8849f398e6cb1c7d0", "name": "anotherrole"}], "expires_at": "2015-11-03T17:51:57.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "f1fbaad628984992a2a1c8e1fc5228ba", "name": "demo"}, "catalog": "<removed>", "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0355eb90a60546c6b2d0d729e5d63372", "name": "demo"}, "audit_ids": ["kkpLUAfeS_Kt0QXKidYKLg"], "issued_at": "2015-11-03T16:51:57.240327"}}
from (pid=4401) _http_log_response /usr/local/lib/python2.7/dist-packages/keystoneclient/session.py:215
2015-11-03 16:51:57.516 DEBUG oslo_policy._cache_handler [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] Reloading cached file /etc/neutron/policy.json from (pid=4401) read_cached_file /usr/local/lib/python2.7/dist-packages/oslo_policy/_cache_handler.py:38
2015-11-03 16:51:57.521 DEBUG oslo_policy.policy [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] Reloaded policy file: /etc/neutron/policy.json from (pid=4401) _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:441
2015-11-03 16:51:57.526 DEBUG oslo_policy._cache_handler [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] Reloading cached file /etc/neutron/policy.d/bgpvpn.conf from (pid=4401) read_cached_file /usr/local/lib/python2.7/dist-packages/oslo_policy/_cache_handler.py:38
2015-11-03 16:51:57.527 DEBUG oslo_policy.policy [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] Reloaded policy file: /etc/neutron/policy.d/bgpvpn.conf from (pid=4401) _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:441
2015-11-03 16:51:57.712 DEBUG neutron.policy [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] Enforcing rules: ['get_bgpvpn:tenant_id'] from (pid=4401) log_rule_list /opt/stack/neutron/neutron/policy.py:321
2015-11-03 16:51:57.716 INFO neutron.wsgi [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] 192.168.122.17 - - [03/Nov/2015 16:51:57] "GET /v2.0/bgpvpn/bgpvpns.json?fields=id&id=0a83d793-63e4-42df-a918-1136bd09abf8 HTTP/1.1" 200 274 0.453268
2015-11-03 16:51:57.746 DEBUG neutron.policy [req-beb825c9-7a6a-4da4-9116-5847ba3d5157 demo f1fbaad628984992a2a1c8e1fc5228ba] Unable to find ':' as separator in tenant_id. from (pid=4401) __call__ /opt/stack/neutron/neutron/policy.py:228
2015-11-03 16:51:57.747 ERROR neutron.policy [req-beb825c9-7a6a-4da4-9116-5847ba3d5157 demo f1fbaad628984992a2a1c8e1fc5228ba] Unable to verify match:%(tenant_id)s as th...

her is the traceback on the server :

2015-11-03 16:51:57.514 DEBUG keystoneclient.session [-] RESP: [200] content-length: 1711 x-subject-token: {SHA1}036bbd43fff5e692b232b30702d8ff1ae8232dc5 vary: X-Auth-Token keep-alive: timeout=5, max=97 server: Apache/2.4.10 (Debian) connection: Keep-Alive date: Tue, 03 Nov 2015 16:51:57 GMT content-type: application/json x-openstack-request-id: req-54677bf4-79ec-4d2d-8478-3ba97d1a7993 
RESP BODY: {"token": {"methods": ["password", "token"], "roles": [{"id": "31b9604410434a92a79368fde8b67b7f", "name": "Member"}, {"id": "3f094719ebbe4bd8849f398e6cb1c7d0", "name": "anotherrole"}], "expires_at": "2015-11-03T17:51:57.000000Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "f1fbaad628984992a2a1c8e1fc5228ba", "name": "demo"}, "catalog": "<removed>", "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "0355eb90a60546c6b2d0d729e5d63372", "name": "demo"}, "audit_ids": ["kkpLUAfeS_Kt0QXKidYKLg"], "issued_at": "2015-11-03T16:51:57.240327"}}
 from (pid=4401) _http_log_response /usr/local/lib/python2.7/dist-packages/keystoneclient/session.py:215
2015-11-03 16:51:57.516 DEBUG oslo_policy._cache_handler [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] Reloading cached file /etc/neutron/policy.json from (pid=4401) read_cached_file /usr/local/lib/python2.7/dist-packages/oslo_policy/_cache_handler.py:38
2015-11-03 16:51:57.521 DEBUG oslo_policy.policy [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] Reloaded policy file: /etc/neutron/policy.json from (pid=4401) _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:441
2015-11-03 16:51:57.526 DEBUG oslo_policy._cache_handler [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] Reloading cached file /etc/neutron/policy.d/bgpvpn.conf from (pid=4401) read_cached_file /usr/local/lib/python2.7/dist-packages/oslo_policy/_cache_handler.py:38
2015-11-03 16:51:57.527 DEBUG oslo_policy.policy [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] Reloaded policy file: /etc/neutron/policy.d/bgpvpn.conf from (pid=4401) _load_policy_file /usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py:441
2015-11-03 16:51:57.712 DEBUG neutron.policy [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] Enforcing rules: ['get_bgpvpn:tenant_id'] from (pid=4401) log_rule_list /opt/stack/neutron/neutron/policy.py:321
2015-11-03 16:51:57.716 INFO neutron.wsgi [req-f513571e-0a87-43c1-8448-73282a58eb75 demo f1fbaad628984992a2a1c8e1fc5228ba] 192.168.122.17 - - [03/Nov/2015 16:51:57] "GET /v2.0/bgpvpn/bgpvpns.json?fields=id&id=0a83d793-63e4-42df-a918-1136bd09abf8 HTTP/1.1" 200 274 0.453268
2015-11-03 16:51:57.746 DEBUG neutron.policy [req-beb825c9-7a6a-4da4-9116-5847ba3d5157 demo f1fbaad628984992a2a1c8e1fc5228ba] Unable to find ':' as separator in tenant_id. from (pid=4401) __call__ /opt/stack/neutron/neutron/policy.py:228
2015-11-03 16:51:57.747 ERROR neutron.policy [req-beb825c9-7a6a-4da4-9116-5847ba3d5157 demo f1fbaad628984992a2a1c8e1fc5228ba] Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found
2015-11-03 16:51:57.747 TRACE neutron.policy Traceback (most recent call last):
2015-11-03 16:51:57.747 TRACE neutron.policy   File "/opt/stack/neutron/neutron/policy.py", line 224, in __call__
2015-11-03 16:51:57.747 TRACE neutron.policy     parent_res, parent_field = do_split(separator)
2015-11-03 16:51:57.747 TRACE neutron.policy   File "/opt/stack/neutron/neutron/policy.py", line 219, in do_split
20

15-11-03 16:51:57.747 TRACE neutron.policy     separator, 1)
2015-11-03 16:51:57.747 TRACE neutron.policy ValueError: need more than 1 value to unpack
2015-11-03 16:51:57.747 TRACE neutron.policy 
2015-11-03 16:51:57.748 ERROR neutron.api.v2.resource [req-beb825c9-7a6a-4da4-9116-5847ba3d5157 demo f1fbaad628984992a2a1c8e1fc5228ba] show failed
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource Traceback (most recent call last):
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/api/v2/resource.py", line 83, in resource
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource     result = method(request=request, **args)
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/api/v2/base.py", line 359, in show
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource     parent_id=parent_id),
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/api/v2/base.py", line 319, in _item
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource     pluralized=self._collection)
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/policy.py", line 391, in enforce
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource     do_raise=True)
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource   File "/usr/local/lib/python2.7/dist-packages/oslo_policy/policy.py", line 492, in enforce
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource     result = rule(target, creds, self)
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource   File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 238, in __call__
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource     return enforcer.rules[self.match](target, creds, enforcer)
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource   File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 238, in __call__
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource     return enforcer.rules[self.match](target, creds, enforcer)
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource   File "/usr/local/lib/python2.7/dist-packages/oslo_policy/_checks.py", line 191, in __call__
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource     if rule(target, cred, enforcer):
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/policy.py", line 246, in __call__
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource     reason=err_reason)
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource PolicyCheckError: Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found
2015-11-03 16:51:57.748 TRACE neutron.api.v2.resource

Mathieu Rohon (mathieu-rohon) on 2015-11-03

Changed in bgpvpn:
assignee:	nobody → Mathieu Rohon (mathieu-rohon)

Mathieu Rohon (mathieu-rohon) on 2015-11-04

summary:

- a tenant cannot list/show its net-assocs resources
+ a tenant cannot list/show/delete its net-assocs resources

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-05: Fix proposed to networking-bgpvpn (master)

Fix proposed to branch: master
Review: https://review.openstack.org/242143

Changed in bgpvpn:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-13: Fix merged to networking-bgpvpn (master)

Reviewed: https://review.openstack.org/242143
Committed: https://git.openstack.org/cgit/openstack/networking-bgpvpn/commit/?id=83e62935bfea9da42261dbca7ffbdc98d0244b67
Submitter: Jenkins
Branch: master

commit 83e62935bfea9da42261dbca7ffbdc98d0244b67
Author: Mathieu Rohon <email address hidden>
Date: Wed Nov 4 10:36:04 2015 +0000

Add tenant-id to subresources

    When a tenant access a subresource, neutron will check that this
    tenant is allowed to view this subresource, according to the policy.json.
    The plugin must return the tenant_id parameter when a "show/list/delete"
    action is performed, so that the policy framework can check authz.

This patch also set the network_id as a mandatory parameter
in the network_association table.

Change-Id: I59d2dbb5416b566dc7de3acb4fab3ed2ada8b78e
Fixes-Bug: #1512789

Changed in bgpvpn:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-23: Fix proposed to networking-bgpvpn (backport/kilo)

Fix proposed to branch: backport/kilo
Review: https://review.openstack.org/248746

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-23: Change abandoned on networking-bgpvpn (backport/kilo)

Change abandoned by Nikolas Hermanns (<email address hidden>) on branch: backport/kilo
Review: https://review.openstack.org/248746

Mathieu Rohon (mathieu-rohon) on 2015-11-26

Changed in bgpvpn:
milestone:	none → liberty

Mathieu Rohon (mathieu-rohon) on 2015-12-15

Changed in bgpvpn:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.