Juniper Openstack

Misc RBAC fixes

Bug #1721609 reported by Suresh Vinapamula
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
Fix Committed
High
Suresh Vinapamula
Juniper Openstack r3.2.6.0
R4.0
Fix Committed
High
Suresh Vinapamula
Juniper Openstack r4.0.3.0
R4.1
Fix Committed
High
Suresh Vinapamula
Juniper Openstack r4.1.0.0-fcs "r4.1"
Trunk
Fix Committed
High
Suresh Vinapamula
Juniper Openstack r5.0.0

Bug Description

More information in the error-msg.
Owner is the taken from project for domain children.
Other fixes.

Tags: config rbac
Suresh Vinapamula (sureshk)
Changed in juniperopenstack:
assignee: nobody → Suresh Vinapamula (sureshk)
Revision history for this message
Senthilnathan Murugappan (msenthil) wrote :

Issues being tracked are:
1) Unable to delete a user created Service-Template.
2) UUID field been matched against in rbac rule processing. vnc_api sends uuid field too in its body and we seem to check for a rule match of UUID field.
3) 403 exception not raised correctly
4) When a subfield doesnt match we need to go thru field rule match

tags: added: config rbac
Revision history for this message
Jeba Paulaiyan (jebap) wrote :

#1, #3, #4 are regression and must fix for R3.2

Revision history for this message
Jeba Paulaiyan (jebap) wrote :

#1, #3, #4 are regression and must fix for R4.0, R4.1, master also

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/36310
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
Suresh Vinapamula (sureshk) wrote :

Jeba,

Could you point me in which build 1,3 worked? Just want to correct 4 that with subfield rules configured and no matching fields to subject to subfield rules, generic rule has to be matched. This is a new functionality, where we are adding sub field rules, not sure how it is regression?

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Review in progress for https://review.opencontrail.org/36310
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/36310
Committed: http://github.com/Juniper/contrail-controller/commit/9fea55cb80be252d555cdfa4de103f08d1b5a4e9
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 9fea55cb80be252d555cdfa4de103f08d1b5a4e9
Author: Suresh Venkata <email address hidden>
Date: Thu Oct 5 16:37:15 2017 -0700

Multiple RBAC fixes

Descrption:
1) Domain children objects, should have owner as tenant from env
in which it is created.
2) More descriptive error messages. More changes are need in neutron
plugin code to relay the error message from api-server to neutron
client. It will come as another patch. So, it is partial bug.
3) Missing exception handling code.
4) Sub field rules configured but no sub fields in the request
should be subjected to generic rule match.
5) Latency issue for floating IP list from neutron.
6) Error in dbe resync when perms2 owner is missing.
7) uuid and fq_name fields are filtered from subjecting to rbac rules.

Change-Id: Id0cb9ce3a413cd233e18ce2c42c5e18a83ae8dd5
Partial-Bug: #1721609
Closes-Bug: #1718972
Closes-Bug: #1721620

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/36371
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/36371
Committed: http://github.com/Juniper/contrail-neutron-plugin/commit/f75c5954e71a284b92fa8c96b5e8a30f119ce704
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit f75c5954e71a284b92fa8c96b5e8a30f119ce704
Author: Suresh Venkata <email address hidden>
Date: Mon Oct 9 19:38:33 2017 -0700

Log api-server exception details in neutron

Description: Neutron doesn't seem to return strings posted
by api-server to the user. So logging the exception details
in neutron logs. Previous commit was partial.

Change-Id: I912acf65155259a771ef5c14535186587a959afd
Closes-Bug: #1721609

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/36651
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/36652
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/36653
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/36651
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/36653
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/36652
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/36653
Committed: http://github.com/Juniper/contrail-controller/commit/0dd85fc5fe443621fbd697a3d7d234e35ad6a6c0
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 0dd85fc5fe443621fbd697a3d7d234e35ad6a6c0
Author: Suresh Venkata <email address hidden>
Date: Wed Oct 18 23:48:29 2017 -0700

misc fixes in RBAC, descriptive exception messages and floatingip-list latency

Description for 1723278: Forcing is_shared and perms2.global_access to be
consistent on restart of api-server.

Descrption for 1721609:
1) Domain children objects, should have owner as tenant from env
in which it is created.
2) More descriptive error messages. More changes are need in neutron
plugin code to relay the error message from api-server to neutron
client.
3) Missing exception handling code.
4) Latency issue for floating IP list from neutron.
5) uuid and fq_name fields are filtered from subjecting to rbac rules.
and its unit test.

Description for 1719040 and 1702321:
Rules configured against multiple access-lists
at domain global-system-config or project are not aggregated.
This will aggregate rules.
rbac rule aggregation not working correctly

Description of 1718972:
fip_objs are returned empty, return empty list.

Change-Id: I21ba51c155d746b634edfc3533c4aba3c0c2442e
Closes-Bug: #1702321
Closes-Bug: #1719040
Closes-Bug: #1721609
Closes-Bug: #1723278
Closes-Bug: #1718972

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/36651
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/36652
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/37004
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/37005
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.0

Review in progress for https://review.opencontrail.org/37006
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/37006
Committed: http://github.com/Juniper/contrail-neutron-plugin/commit/91b3cba3dabc1012844e796c728fe4fd9d4f922b
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 91b3cba3dabc1012844e796c728fe4fd9d4f922b
Author: Suresh Venkata <email address hidden>
Date: Mon Oct 30 14:23:20 2017 -0700

Log api-server exception details in neutron

Description: Neutron doesn't seem to return strings posted
by api-server to the user. So logging the exception details
in neutron logs. Previous commit was partial.

Change-Id: I912acf65155259a771ef5c14535186587a959afd
Closes-Bug: #1721609

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R4.1

Review in progress for https://review.opencontrail.org/36651
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/36652
Submitter: Suresh Vinapamula (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/36651
Committed: http://github.com/Juniper/contrail-controller/commit/4ec031e2c723a3d20bb01e28b84f86af03142786
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 4ec031e2c723a3d20bb01e28b84f86af03142786
Author: Suresh Venkata <email address hidden>
Date: Mon Oct 30 11:11:53 2017 -0700

misc fixes in RBAC, descriptive exception messages and floatingip-list latency

Description for 1723278: Forcing is_shared and perms2.global_access to be
consistent on restart of api-server.

Descrption for 1721609:
1) Domain children objects, should have owner as tenant from env
in which it is created.
2) More descriptive error messages. More changes are need in neutron
plugin code to relay the error message from api-server to neutron
client.
3) Missing exception handling code.
4) Latency issue for floating IP list from neutron.
5) uuid and fq_name fields are filtered from subjecting to rbac rules.
and its unit test.

Description for 1719040 and 1702321:
Rules configured against multiple access-lists
at domain global-system-config or project are not aggregated.
This will aggregate rules.
rbac rule aggregation not working correctly

Description of 1718972:
fip_objs are returned empty, return empty list.

Change-Id: I21ba51c155d746b634edfc3533c4aba3c0c2442e
Closes-Bug: #1702321
Closes-Bug: #1719040
Closes-Bug: #1721609
Closes-Bug: #1723278
Closes-Bug: #1718972

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/37004
Committed: http://github.com/Juniper/contrail-neutron-plugin/commit/2987f94bbb33d9c154d842b84b6501d66332274e
Submitter: Zuul (<email address hidden>)
Branch: R4.1

commit 2987f94bbb33d9c154d842b84b6501d66332274e
Author: Suresh Venkata <email address hidden>
Date: Mon Oct 30 14:23:20 2017 -0700

Log api-server exception details in neutron

Description: Neutron doesn't seem to return strings posted
by api-server to the user. So logging the exception details
in neutron logs. Previous commit was partial.

Change-Id: I912acf65155259a771ef5c14535186587a959afd
Closes-Bug: #1721609

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/36652
Committed: http://github.com/Juniper/contrail-controller/commit/014a6f86ea6cb2e1248e4ba26a8bf4f43345cb3d
Submitter: Zuul (<email address hidden>)
Branch: master

commit 014a6f86ea6cb2e1248e4ba26a8bf4f43345cb3d
Author: Suresh Venkata <email address hidden>
Date: Mon Oct 30 11:11:53 2017 -0700

misc fixes in RBAC, descriptive exception messages and floatingip-list latency

Description for 1723278: Forcing is_shared and perms2.global_access to be
consistent on restart of api-server.

Descrption for 1721609:
1) Domain children objects, should have owner as tenant from env
in which it is created.
2) More descriptive error messages. More changes are need in neutron
plugin code to relay the error message from api-server to neutron
client.
3) Missing exception handling code.
4) Latency issue for floating IP list from neutron.
5) uuid and fq_name fields are filtered from subjecting to rbac rules.
and its unit test.

Description for 1719040 and 1702321:
Rules configured against multiple access-lists
at domain global-system-config or project are not aggregated.
This will aggregate rules.
rbac rule aggregation not working correctly

Description of 1718972:
fip_objs are returned empty, return empty list.

Change-Id: I21ba51c155d746b634edfc3533c4aba3c0c2442e
Closes-Bug: #1702321
Closes-Bug: #1719040
Closes-Bug: #1721609
Closes-Bug: #1723278
Closes-Bug: #1718972

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/37005
Committed: http://github.com/Juniper/contrail-neutron-plugin/commit/35f2af5b2e1b0724da3b19b9f5c9e7900cb5984a
Submitter: Zuul (<email address hidden>)
Branch: master

commit 35f2af5b2e1b0724da3b19b9f5c9e7900cb5984a
Author: Suresh Venkata <email address hidden>
Date: Mon Oct 30 14:23:20 2017 -0700

Log api-server exception details in neutron

Description: Neutron doesn't seem to return strings posted
by api-server to the user. So logging the exception details
in neutron logs. Previous commit was partial.

Change-Id: I912acf65155259a771ef5c14535186587a959afd
Closes-Bug: #1721609

Édouard Thuleau (ethuleau)
information type: Proprietary → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.