yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #00811
[Bug 1122267] Re: nova-api returning 403 when trying simple_usage:show
** Changed in: nova
Status: Fix Committed => Fix Released
** Changed in: nova
Milestone: None => grizzly-3
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1122267
Title:
nova-api returning 403 when trying simple_usage:show
Status in OpenStack Compute (Nova):
Fix Released
Bug description:
When trying to run 'nova usage' as a tenant user (not global admin),
nova API returns a permission denied. Other commands work fine:
# nova --debug --os-username **** --os-password **** --os-auth-url
http://10.150.0.50:5000/v2.0 --os-tenant-name Test list
REQ: curl -i http://10.150.0.50:5000/v2.0/tokens -X POST -H "Content-
Type: application/json" -H "Accept: application/json" -H "User-Agent:
python-novaclient" -d '{"auth": {"tenantName": "Test",
"passwordCredentials": {"username": "****", "password": "****"}}}'
2013-02-11T11:33:14.311489 POST http://10.150.0.50:5000/v2.0/tokens
RESP: [200] {'date': 'Mon, 11 Feb 2013 15:33:14 GMT', 'transfer-encoding': 'chunked', 'content-type': 'application/json', 'vary': 'X-Auth-Token'}
RESP BODY: {"access": {"token": {"issued_at": "2013-02-11T15:33:14.609679", "expires": "2013-02-12T15:33:14Z", "id": "cf419f21e8cd438b9a030ce3a8b7530e", "tenant": {"enabled": true, "description": "Test project", "name": "Test", "id": "951f2ba7f0c44ae6a38ea7a9db3897b2"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2";, "region": "regionOne", "internalURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2";, "id": "833c5093f72242148e869141520e25a3", "publicURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2"}], "endpoints_links": [], "type": "volume", "name": "cinder"}, {"endpoints": [{"adminURL": "http://10.150.0.55:9292/v2.0";, "region": "regionOne", "internalURL": "http://10.150.0.55:9292/v2.0";, "id": "c96acff633654ce09a7ba313f5519479", "publicURL": "http://10.150.0.55:9292/v2.0"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2";, "region": "regionOne", "internalURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2";, "id": "772c4e148207417fa8570fd1a603831e", "publicURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://10.150.0.54:9696/";, "region": "regionOne", "internalURL": "http://10.150.0.54:9696/";, "id": "5be6e02433ad4c1893197a87bb819122", "publicURL": "http://10.150.0.54:9696/"}], "endpoints_links": [], "type": "network", "name": "quantum"}, {"endpoints": [{"adminURL": "http://10.150.0.50:35357/v2.0";, "region": "regionOne", "internalURL": "http://10.150.0.50:5000/v2.0";, "id": "c369f78d641d4a5e95f6e14fe6cead20", "publicURL": "http://10.150.0.50:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "****", "roles_links": [], "id": "72cac1a7fcd84d1b9bf0f4147aaff2b2", "roles": [{"name": "client_admin"}], "name": "****"}, "metadata": {"is_admin": 0, "roles": ["88455a8088144fcdbeafba03a86bcd38"]}}}
REQ: curl -i http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/detail -X GET -H "X-Auth-Project-Id: Test" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: cf419f21e8cd438b9a030ce3a8b7530e"
2013-02-11T11:33:14.709276 GET http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/detail
RESP: [200] {'date': 'Mon, 11 Feb 2013 15:33:14 GMT', 'x-compute-request-id': 'req-939ec1b3-90b6-4806-a218-1c54e8f6771e', 'content-type': 'application/json', 'content-length': '4258'}
RESP BODY: {"servers": [{"status": "ACTIVE", "updated": "2013-02-07T18:27:34Z", "hostId": "5f0cc9a1c6bce02653a923caf7d4f3d42c9a4a968e1c51b0367c0ba9", "addresses": {"Test Net": [{"version": 4, "addr": "10.0.0.5"}]}, "links": [{"href": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/af0de6f2-105a-40e8-a460-66dd08ebea3a";, "rel": "self"}, {"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/af0de6f2-105a-40e8-a460-66dd08ebea3a";, "rel": "bookmark"}], "key_name": null, "image": {"id": "cb992958-fed1-4bd3-be75-a629229573d8", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/images/cb992958-fed1-4bd3-be75-a629229573d8";, "rel": "bookmark"}]}, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "active", "flavor": {"id": "54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/flavors/54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28";, "rel": "bookmark"}]}, "id": "af0de6f2-105a-40e8-a460-66dd08ebea3a", "security_groups": [{"name": "default"}], "OS-EXT-AZ:availability_zone": null, "user_id": "72cac1a7fcd84d1b9bf0f4147aaff2b2", "name": "Ubuntu", "created": "2013-02-07T18:27:11Z", "tenant_id": "951f2ba7f0c44ae6a38ea7a9db3897b2", "OS-DCF:diskConfig": "MANUAL", "OS-EXT-AZ:host_availability_zone": "nova", "accessIPv4": "", "accessIPv6": "", "progress": 0, "OS-EXT-STS:power_state": 1, "config_drive": "", "metadata": {}}, {"status": "ACTIVE", "updated": "2013-02-06T19:54:07Z", "hostId": "5f0cc9a1c6bce02653a923caf7d4f3d42c9a4a968e1c51b0367c0ba9", "addresses": {"Test Net": [{"version": 4, "addr": "10.0.0.4"}]}, "links": [{"href": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/3484738c-ea09-45ed-9d87-db1d75f8533d";, "rel": "self"}, {"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/3484738c-ea09-45ed-9d87-db1d75f8533d";, "rel": "bookmark"}], "key_name": null, "image": {"id": "786654b5-dab6-4448-80ee-a15e810a31a2", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/images/786654b5-dab6-4448-80ee-a15e810a31a2";, "rel": "bookmark"}]}, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "active", "flavor": {"id": "54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/flavors/54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28";, "rel": "bookmark"}]}, "id": "3484738c-ea09-45ed-9d87-db1d75f8533d", "security_groups": [{"name": "default"}], "OS-EXT-AZ:availability_zone": null, "user_id": "72cac1a7fcd84d1b9bf0f4147aaff2b2", "name": "Test2", "created": "2013-02-05T20:10:10Z", "tenant_id": "951f2ba7f0c44ae6a38ea7a9db3897b2", "OS-DCF:diskConfig": "MANUAL", "OS-EXT-AZ:host_availability_zone": "nova", "accessIPv4": "", "accessIPv6": "", "progress": 0, "OS-EXT-STS:power_state": 1, "config_drive": "", "metadata": {}}, {"status": "PAUSED", "updated": "2013-02-11T15:05:34Z", "hostId": "5f0cc9a1c6bce02653a923caf7d4f3d42c9a4a968e1c51b0367c0ba9", "addresses": {"Test Net": [{"version": 4, "addr": "10.0.0.3"}]}, "links": [{"href": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/3d14ef64-be16-47b6-9378-8bacba50bf91";, "rel": "self"}, {"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/servers/3d14ef64-be16-47b6-9378-8bacba50bf91";, "rel": "bookmark"}], "key_name": null, "image": {"id": "786654b5-dab6-4448-80ee-a15e810a31a2", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/images/786654b5-dab6-4448-80ee-a15e810a31a2";, "rel": "bookmark"}]}, "OS-EXT-STS:task_state": null, "OS-EXT-STS:vm_state": "paused", "flavor": {"id": "54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28", "links": [{"href": "http://10.150.0.52:8774/951f2ba7f0c44ae6a38ea7a9db3897b2/flavors/54ae82b7-c0c0-45cb-a39c-b55cc7ed8f28";, "rel": "bookmark"}]}, "id": "3d14ef64-be16-47b6-9378-8bacba50bf91", "security_groups": [{"name": "default"}], "OS-EXT-AZ:availability_zone": null, "user_id": "72cac1a7fcd84d1b9bf0f4147aaff2b2", "name": "Test", "created": "2013-02-04T23:55:55Z", "tenant_id": "951f2ba7f0c44ae6a38ea7a9db3897b2", "OS-DCF:diskConfig": "MANUAL", "OS-EXT-AZ:host_availability_zone": "nova", "accessIPv4": "", "accessIPv6": "", "OS-EXT-STS:power_state": 3, "config_drive": "", "metadata": {}}]}
+--------------------------------------+--------+--------+-------------------+
| ID | Name | Status | Networks |
+--------------------------------------+--------+--------+-------------------+
| 3d14ef64-be16-47b6-9378-8bacba50bf91 | Test | PAUSED | Test Net=10.0.0.3 |
| 3484738c-ea09-45ed-9d87-db1d75f8533d | Test2 | ACTIVE | Test Net=10.0.0.4 |
| af0de6f2-105a-40e8-a460-66dd08ebea3a | Ubuntu | ACTIVE | Test Net=10.0.0.5 |
+--------------------------------------+--------+--------+-------------------+
# nova --debug --os-username **** --os-password **** --os-auth-url
http://10.150.0.50:5000/v2.0 --os-tenant-name Test usage
REQ: curl -i http://10.150.0.50:5000/v2.0/tokens -X POST -H "Content-
Type: application/json" -H "Accept: application/json" -H "User-Agent:
python-novaclient" -d '{"auth": {"tenantName": "Test",
"passwordCredentials": {"username": "****", "password": "****"}}}'
2013-02-11T11:34:06.746585 POST http://10.150.0.50:5000/v2.0/tokens
RESP: [200] {'date': 'Mon, 11 Feb 2013 15:34:06 GMT', 'transfer-encoding': 'chunked', 'content-type': 'application/json', 'vary': 'X-Auth-Token'}
RESP BODY: {"access": {"token": {"issued_at": "2013-02-11T15:34:06.851813", "expires": "2013-02-12T15:34:06Z", "id": "7445ce457df04111adc776855dd5df26", "tenant": {"enabled": true, "description": "Test project", "name": "Test", "id": "951f2ba7f0c44ae6a38ea7a9db3897b2"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2";, "region": "regionOne", "internalURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2";, "id": "833c5093f72242148e869141520e25a3", "publicURL": "http://10.150.0.55:8776/v1/951f2ba7f0c44ae6a38ea7a9db3897b2"}], "endpoints_links": [], "type": "volume", "name": "cinder"}, {"endpoints": [{"adminURL": "http://10.150.0.55:9292/v2.0";, "region": "regionOne", "internalURL": "http://10.150.0.55:9292/v2.0";, "id": "c96acff633654ce09a7ba313f5519479", "publicURL": "http://10.150.0.55:9292/v2.0"}], "endpoints_links": [], "type": "image", "name": "glance"}, {"endpoints": [{"adminURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2";, "region": "regionOne", "internalURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2";, "id": "772c4e148207417fa8570fd1a603831e", "publicURL": "http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2"}], "endpoints_links": [], "type": "compute", "name": "nova"}, {"endpoints": [{"adminURL": "http://10.150.0.54:9696/";, "region": "regionOne", "internalURL": "http://10.150.0.54:9696/";, "id": "5be6e02433ad4c1893197a87bb819122", "publicURL": "http://10.150.0.54:9696/"}], "endpoints_links": [], "type": "network", "name": "quantum"}, {"endpoints": [{"adminURL": "http://10.150.0.50:35357/v2.0";, "region": "regionOne", "internalURL": "http://10.150.0.50:5000/v2.0";, "id": "c369f78d641d4a5e95f6e14fe6cead20", "publicURL": "http://10.150.0.50:5000/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "****", "roles_links": [], "id": "72cac1a7fcd84d1b9bf0f4147aaff2b2", "roles": [{"name": "client_admin"}], "name": "****"}, "metadata": {"is_admin": 0, "roles": ["88455a8088144fcdbeafba03a86bcd38"]}}}
REQ: curl -i http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/os-simple-tenant-usage/951f2ba7f0c44ae6a38ea7a9db3897b2?start=2013-01-14T15:34:06.871236&end=2013-02-12T15:34:06.871236 -X GET -H "X-Auth-Project-Id: Test" -H "User-Agent: python-novaclient" -H "Accept: application/json" -H "X-Auth-Token: 7445ce457df04111adc776855dd5df26"
2013-02-11T11:34:06.872623 GET http://10.150.0.52:8774/v2/951f2ba7f0c44ae6a38ea7a9db3897b2/os-simple-tenant-usage/951f2ba7f0c44ae6a38ea7a9db3897b2?start=2013-01-14T15:34:06.871236&end=2013-02-12T15:34:06.871236
RESP: [403] {'date': 'Mon, 11 Feb 2013 15:34:06 GMT', 'content-length': '78', 'content-type': 'application/json; charset=UTF-8', 'x-compute-request-id': 'req-30abfdd5-7d81-4c53-bbc6-83212df448bc'}
RESP BODY: {"forbidden": {"message": "User does not have admin privileges", "code": 403}}
DEBUG (shell:732) User does not have admin privileges (HTTP 403) (Request-ID: req-30abfdd5-7d81-4c53-bbc6-83212df448bc)
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/novaclient/shell.py", line 729, in main
OpenStackComputeShell().main(sys.argv[1:])
File "/usr/lib/python2.7/dist-packages/novaclient/shell.py", line 665, in main
args.func(self.cs, args)
File "/usr/lib/python2.7/dist-packages/novaclient/v1_1/shell.py", line 2113, in do_usage
usage = cs.usage.get(cs.client.tenant_id, start, end)
File "/usr/lib/python2.7/dist-packages/novaclient/v1_1/usage.py", line 48, in get
"tenant_usage")
File "/usr/lib/python2.7/dist-packages/novaclient/base.py", line 140, in _get
_resp, body = self.api.client.get(url)
File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 231, in get
return self._cs_request(url, 'GET', **kwargs)
File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 218, in _cs_request
**kwargs)
File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 200, in _time_request
resp, body = self.request(url, method, **kwargs)
File "/usr/lib/python2.7/dist-packages/novaclient/client.py", line 194, in request
raise exceptions.from_response(resp, body, url, method)
Forbidden: User does not have admin privileges (HTTP 403) (Request-ID: req-30abfdd5-7d81-4c53-bbc6-83212df448bc)
ERROR: User does not have admin privileges (HTTP 403) (Request-ID: req-30abfdd5-7d81-4c53-bbc6-83212df448bc)
policy.json has proper rule:
"compute_extension:simple_tenant_usage:show": "rule:admin_or_owner",
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1122267/+subscriptions
