MAAS

[2.5] RBAC - Cannot 'release' a machine deployed by another user (or maybe non-RBAC user)

Bug #1808029 reported by Andres Rodriguez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
Critical
Blake Rouse
MAAS 2.5.1

Bug Description

I'm unable to 'release' a machine that was deployed by another, non-RBAC/Candid user.

What I did was:

1. I had a running MAAS
2. Deployed a machine w/ a KVM host as 'admin' user.
3. I configured MAAS with RBAC, with a 'user1' ('admin' user doesn't exist in RBAC).
4. I assigned 'user1' as the admin role for all scopes.
5. Deleted the pod/KVM host successfully as 'user1'
6. Attempted to release the machine as 'user1', it failed:

2018-12-11 19:52:04 regiond: [info] 10.90.90.4 GET /MAAS/rpc/ HTTP/1.1 --> 200 OK (referrer: -; agent: provisioningserver.rpc.clusterservice.ClusterClientService)

2018-12-11 19:52:12 maasserver.websockets.protocol: [critical] Error on request (278) machine.action: 'view'
 Traceback (most recent call last):
   File "/usr/lib/python3.6/threading.py", line 864, in run
     self._target(*self._args, **self._kwargs)
   File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 852, in worker
     return target()
   File "/usr/lib/python3/dist-packages/twisted/_threads/_threadworker.py", line 46, in work
     task()
   File "/usr/lib/python3/dist-packages/twisted/_threads/_team.py", line 190, in doWork
     task()
 --- <exception caught here> ---
   File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 250, in inContext
     result = inContext.theWork()
   File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 266, in <lambda>
     inContext.theWork = lambda: context.call(ctx, func, *args, **kw)
   File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 122, in callWithContext
     return self.currentContext().callWithContext(ctx, func, *args, **kw)
   File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 85, in callWithContext
     return func(*args,**kw)
   File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 885, in callInContext
     return func(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 234, in wrapper
     result = func(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/maasserver/utils/orm.py", line 756, in call_within_transaction
     return func_outside_txn(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/maasserver/utils/orm.py", line 563, in retrier
     return func(*args, **kwargs)
   File "/usr/lib/python3.6/contextlib.py", line 52, in inner
     return func(*args, **kwds)
   File "/usr/lib/python3/dist-packages/maasserver/websockets/base.py", line 386, in prep_user_execute
     return method(params)
   File "/usr/lib/python3/dist-packages/maasserver/websockets/handlers/machine.py", line 769, in action
     return action.execute(**extra_params)
   File "/usr/lib/python3/dist-packages/maasserver/node_action.py", line 170, in execute
     self._execute(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/maasserver/node_action.py", line 609, in _execute
     secure_erase=secure_erase, quick_erase=quick_erase)
   File "/usr/lib/python3/dist-packages/maasserver/models/node.py", line 3008, in release_or_erase
     self.release(user, comment)
   File "/usr/lib/python3/dist-packages/maasserver/models/node.py", line 2902, in release
     self._release(user)
   File "/usr/lib/python3/dist-packages/maasserver/models/node.py", line 2918, in _release
     stopping = self._stop(self.owner)
   File "/usr/lib/python3/dist-packages/maasserver/utils/orm.py", line 740, in call_within_transaction
     return func_within_txn(*args, **kwargs)
   File "/usr/lib/python3.6/contextlib.py", line 52, in inner
     return func(*args, **kwds)
   File "/usr/lib/python3/dist-packages/maasserver/models/node.py", line 4047, in _stop
     if user is not None and not user.has_perm(NodePermission.edit, self):
   File "/usr/lib/python3/dist-packages/maasserver/models/__init__.py", line 235, in has_perm
     return _user_has_perm(self, perm, obj)
   File "/usr/lib/python3/dist-packages/django/contrib/auth/models.py", line 190, in _user_has_perm
     if backend.has_perm(user, perm, obj):
   File "/usr/lib/python3/dist-packages/maasserver/models/__init__.py", line 356, in has_perm
     'view', 'view-all', 'deploy-machines', 'admin-machines')
   File "/usr/lib/python3/dist-packages/maasserver/rbac.py", line 306, in get_resource_pool_ids
     user, *permissions)
   File "/usr/lib/python3/dist-packages/maasserver/rbac.py", line 351, in _get_resource_pool_identifiers
     identifiers = fetched[permission]
 builtins.KeyError: 'view'

See original description
Tags: rbac track

Related branches

~blake-rouse/maas:fix-1808029-really
Andres Rodriguez (community): Approve
MAAS Lander: Pending (unittests) requested
Diff: 68 lines (+19/-5)
2 files modified
src/maasserver/models/node.py (+1/-1)
src/maasserver/models/tests/test_node.py (+18/-4)
~blake-rouse/maas:fix-rbac-issues
Lee Trager (community): Approve
Mike Pontillo (community): Approve
MAAS Lander: Pending (unittests) requested
Diff: 277 lines (+100/-34)
7 files modified
src/maasserver/macaroon_auth.py (+13/-10)
src/maasserver/models/node.py (+1/-1)
src/maasserver/models/tests/test_node.py (+9/-0)
src/maasserver/rbac.py (+4/-2)
src/maasserver/static/js/angular/controllers/pod_details.js (+7/-3)
src/maasserver/static/js/angular/controllers/tests/test_pod_details.js (+18/-0)
src/maasserver/tests/test_macaroon_auth.py (+48/-18)
Andres Rodriguez (andreserl)
Changed in maas:
importance: Undecided → Critical
assignee: nobody → Blake Rouse (blake-rouse)
milestone: none → 2.5.1
status: New → Triaged
tags: added: rbac
tags: added: track
Andres Rodriguez (andreserl)
summary: - [2.5] RBAC - Cannot 'release' a machine deployed by another user
+ [2.5] RBAC - Cannot 'release' a machine deployed by another user (or
+ maybe non-RBAC user)
Andres Rodriguez (andreserl)
description: updated
description: updated
Blake Rouse (blake-rouse)
Changed in maas:
status: Triaged → In Progress
MAAS Lander (maas-lander)
Changed in maas:
status: In Progress → Fix Committed
Revision history for this message
Andres Rodriguez (andreserl) wrote :
Download full text (3.6 KiB)

This is not fixed, after upgrading to the latest changes, I see the following issue:

==> /var/log/maas/regiond.log <==
2018-12-12 03:37:15 maasserver.websockets.protocol: [critical] Error on request (149) machine.action:
        Traceback (most recent call last):
          File "/usr/lib/python3.6/threading.py", line 864, in run
            self._target(*self._args, **self._kwargs)
          File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 852, in worker
            return target()
          File "/usr/lib/python3/dist-packages/twisted/_threads/_threadworker.py", line 46, in work
            task()
          File "/usr/lib/python3/dist-packages/twisted/_threads/_team.py", line 190, in doWork
            task()
        --- <exception caught here> ---
          File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 250, in inContext
            result = inContext.theWork()
          File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 266, in <lambda>
            inContext.theWork = lambda: context.call(ctx, func, *args, **kw)
          File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 122, in callWithContext
            return self.currentContext().callWithContext(ctx, func, *args, **kw)
          File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 85, in callWithContext
            return func(*args,**kw)
          File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 885, in callInContext
            return func(*args, **kwargs)
          File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 234, in wrapper
            result = func(*args, **kwargs)
          File "/usr/lib/python3/dist-packages/maasserver/utils/orm.py", line 756, in call_within_transaction
            return func_outside_txn(*args, **kwargs)
          File "/usr/lib/python3/dist-packages/maasserver/utils/orm.py", line 563, in retrier
            return func(*args, **kwargs)
          File "/usr/lib/python3.6/contextlib.py", line 52, in inner
            return func(*args, **kwds)
          File "/usr/lib/python3/dist-packages/maasserver/websockets/base.py", line 386, in prep_user_execute
            return method(params)
          File "/usr/lib/python3/dist-packages/maasserver/websockets/handlers/machine.py", line 769, in action
            return action.execute(**extra_params)
          File "/usr/lib/python3/dist-packages/maasserver/node_action.py", line 170, in execute
            self._execute(*args, **kwargs)
          File "/usr/lib/python3/dist-packages/maasserver/node_action.py", line 609, in _execute
            secure_erase=secure_erase, quick_erase=quick_erase)
          File "/usr/lib/python3/dist-packages/maasserver/models/node.py", line 3008, in release_or_erase
            self.release(user, comment)
          File "/usr/lib/python3/dist-packages/maasserver/models/node.py", line 2902, in release
            self._release(user)
          File "/usr/lib/python3/dist-packages/maasserver/models/node.py", line 2918, in _release
            stopping = self._stop(self.owner)
          File "/usr/lib/python3/...

Read more...

Changed in maas:
status: Fix Committed → New
Blake Rouse (blake-rouse)
Changed in maas:
status: New → In Progress
MAAS Lander (maas-lander)
Changed in maas:
status: In Progress → Fix Committed
Revision history for this message
Andres Rodriguez (andreserl) wrote :
Download full text (3.4 KiB)

==> /var/log/maas/regiond.log <==
2018-12-12 19:31:37 maasserver.websockets.protocol: [critical] Error on request (599) machine.action:
        Traceback (most recent call last):
          File "/usr/lib/python3.6/threading.py", line 864, in run
            self._target(*self._args, **self._kwargs)
          File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 852, in worker
            return target()
          File "/usr/lib/python3/dist-packages/twisted/_threads/_threadworker.py", line 46, in work
            task()
          File "/usr/lib/python3/dist-packages/twisted/_threads/_team.py", line 190, in doWork
            task()
        --- <exception caught here> ---
          File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 250, in inContext
            result = inContext.theWork()
          File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 266, in <lambda>
            inContext.theWork = lambda: context.call(ctx, func, *args, **kw)
          File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 122, in callWithContext
            return self.currentContext().callWithContext(ctx, func, *args, **kw)
          File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 85, in callWithContext
            return func(*args,**kw)
          File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 885, in callInContext
            return func(*args, **kwargs)
          File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 234, in wrapper
            result = func(*args, **kwargs)
          File "/usr/lib/python3/dist-packages/maasserver/utils/orm.py", line 756, in call_within_transaction
            return func_outside_txn(*args, **kwargs)
          File "/usr/lib/python3/dist-packages/maasserver/utils/orm.py", line 563, in retrier
            return func(*args, **kwargs)
          File "/usr/lib/python3.6/contextlib.py", line 52, in inner
            return func(*args, **kwds)
          File "/usr/lib/python3/dist-packages/maasserver/websockets/base.py", line 386, in prep_user_execute
            return method(params)
          File "/usr/lib/python3/dist-packages/maasserver/websockets/handlers/machine.py", line 769, in action
            return action.execute(**extra_params)
          File "/usr/lib/python3/dist-packages/maasserver/node_action.py", line 170, in execute
            self._execute(*args, **kwargs)
          File "/usr/lib/python3/dist-packages/maasserver/node_action.py", line 609, in _execute
            secure_erase=secure_erase, quick_erase=quick_erase)
          File "/usr/lib/python3/dist-packages/maasserver/models/node.py", line 3035, in release_or_erase
            self.release(user, comment)
          File "/usr/lib/python3/dist-packages/maasserver/models/node.py", line 2929, in release
            self._release(user)
          File "/usr/lib/python3/dist-packages/maasserver/models/node.py", line 2945, in _release
            stopping = self._stop(self.owner)
          File "/usr/lib/python3/dist-packages/maasserver/utils/orm.py", line 740, in call_within_transaction
         ...

Read more...

Changed in maas:
status: Fix Committed → New
Blake Rouse (blake-rouse)
Changed in maas:
status: New → In Progress
MAAS Lander (maas-lander)
Changed in maas:
status: In Progress → Fix Committed
Andres Rodriguez (andreserl)
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.