User with permissions can not set 'unshared' Murano package to 'shared'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Murano |
Fix Released
|
Medium
|
Kirill Zaitsev | ||
Liberty |
Fix Released
|
Medium
|
Kirill Zaitsev | ||
Mitaka |
Fix Released
|
Medium
|
Kirill Zaitsev |
Bug Description
Hello,
Please take a look at the issue below.
Globally the problem is that user with permissions can't update Murano package.
My env is: MOS 8.0 with ISO:589 (HA with vlan, murano, cinder and disabled SSL: 2x controllers; 3x compute,cinder)
Actions performed from controller:
1) OK - Perform actions as admin user:
# . openrc
2) OK - Create new role:
# openstack role create 'can_publicize_
+--
| Field | Value |
+--
| id | cdb2bf1c7cba4c1
| name | can_publicize_
+--
3) OK - List roles:
# openstack role list
+--
| ID | Name |
+--
. . . .
| cdb2bf1c7cba4c1
+--
4) OK - Create new user inside 'services' project:
# openstack user create '_test_user' --password 'password' --project 'services'
+--
| Field | Value |
+--
| email | None |
| enabled | True |
| id | e9783de276d64c0
| name | _test_user |
| project_id | fa38dcb711a24e9
| username | _test_user |
+--
5) OK - Assign new role to the new user:
# openstack role add 'can_publicize_
+--
| Field | Value |
+--
| id | cdb2bf1c7cba4c1
| name | can_publicize_
+--
6) NOK - Check new role for :
# openstack user role list '_test_user'
{empty output}
\\ I suppose it is expected to have some output here.
7) OK - Try to assign again the same role to the same user:
# openstack role add 'can_publicize_
Conflict occurred attempting to store role grant -
User e9783de276d64c0
cdb2bf1c7cb
in tenant fa38dcb711a24e9
(HTTP 409) (Request-ID: req-90460dca-
\\ So, seems, that role was actually assigned to the user.
5) OK - On all two controllers add new role to /etc/murano/
# cp /etc/murano/
# vim /etc/murano/
from:
"publicize_
to:
"publicize_
### The same with:
"publicize_
6) OK - On all two controllers restart some Murano services:
# service murano-api restart ; service murano-engine restart
murano-api stop/waiting
murano-api start/running, process 5597
murano-engine stop/waiting
murano-engine start/running, process 5627
6) OK - Change env to '_test_user' and 'services' project:
# export OS_TENANT_
7) OK - As a '_test_user' import Murano pkg:
# murano --murano-repo-url=http://
Package file 'io.murano.
Importing package io.murano.
+--
| ID | Name | FQN | Author | Is Public |
+--
| 90fee6d0e41b441
| 6c36dc3f149744c
+-----
8) NOK - As a '_test_user' update imported pkg with Public=TRUE:
# murano package-update '6c36dc3f149744
403 Forbidden: Access was denied to this resource. (HTTP 403)
\\ After step (5) it is expected for a new user to have ability to update imported packages.
Please find logs for the last step (8) attached.
Thanks.
Changed in murano: | |
milestone: | none → mitaka-3 |
tags: | added: kilo-backport-potential |
Changed in murano: | |
importance: | Undecided → Medium |
information type: | Public → Private Security |
tags: | added: liberty-backport-potential security |
information type: | Private Security → Public Security |
Unable to reproduce on current master.