← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1233707] Re: neutron http policy check broken

 

** Also affects: oslo-incubator
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1233707

Title:
  neutron http policy check broken

Status in OpenStack Neutron (virtual network service):
  In Progress
Status in The Oslo library incubator:
  New

Bug description:
  Neutron in theory should support HttpCheck as a policy element:

  https://github.com/openstack/neutron/blob/master/neutron/openstack/common/policy.py#L747

  So I ran a little http server on localhost and added this line to the policy.json file:
      "create_network": "http://127.0.0.1:8080/ or rule:default",

  It turns out the http post never made it to the http server.

  Here, the code is trying to populate a json string with variable target:
  https://github.com/openstack/neutron/blob/master/neutron/openstack/common/policy.py#L757

  And in execution, we have:

  2013-10-01 14:22:32.092 ERROR neutron.openstack.common.policy [-] target={'router:external': <object object at 0x7fc3ae693170>, u'name': u'net1', 'provider:physical_network': <object object at 0x7fc3ae693170>, u'admin_state_up': True, 'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'provider:network_type': <object object at 0x7fc3ae693170>, 'shared': False, 'provider:segmentation_id': <object object at 0x7fc3ae693170>}
  creds={'user_id': u'0495af214c2c4bdd99fadb7a7c69630e', 'roles': [u'admin'], 'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'is_admin': True, 'timestamp': '2013-10-01 14:22:32.079282', 'project_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'read_deleted': 'no'}
  url=http://127.0.0.1:8080/{'router:external': <object object at 0x7fc3ae693170>, u'name': u'net1', 'provider:physical_network': <object object at 0x7fc3ae693170>, u'admin_state_up': True, 'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'provider:network_type': <object object at 0x7fc3ae693170>, 'shared': False, 'provider:segmentation_id': <object object at 0x7fc3ae693170>}
  2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy Traceback (most recent call last):
  2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy   File "/usr/lib/python2.7/dist-packages/routes/middleware.py", line 52, in __call__
  2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy     qs = environ['QUERY_STRING']
  2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy KeyError: 'QUERY_STRING'
  2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy
  2013-10-01 14:22:32.092 ERROR neutron.api.v2.resource [-] create failed
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource Traceback (most recent call last):
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/api/v2/resource.py", line 84, in resource
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     result = method(request=request, **args)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/api/v2/base.py", line 357, in create
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     item[self._resource])
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/policy.py", line 379, in enforce
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     exc=exceptions.PolicyNotAuthorized, action=action)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/openstack/common/policy.py", line 169, in check
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     result = rule(target, creds)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/openstack/common/policy.py", line 732, in __call__
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     return _rules[self.match](target, creds)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/openstack/common/policy.py", line 366, in __call__
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     if rule(target, cred):
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/openstack/common/policy.py", line 758, in __call__
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     data = {'target': jsonutils.dumps(target),
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/opt/stack/neutron/neutron/openstack/common/jsonutils.py", line 151, in dumps
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     return json.dumps(value, default=default, **kwargs)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/usr/lib/python2.7/json/__init__.py", line 238, in dumps
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     **kw).encode(obj)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/usr/lib/python2.7/json/encoder.py", line 200, in encode
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     chunks = self.iterencode(o, _one_shot=True)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File "/usr/lib/python2.7/json/encoder.py", line 263, in iterencode
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     return _iterencode(o, 0)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource ValueError: Circular reference detected
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource

  Basically, the target variable looks like this when converted to string:
  {'router:external': <object object at 0x7fc3ae693170>, u'name': u'net1', 'provider:physical_network': <object object at 0x7fc3ae693170>, u'admin_state_up': True, 'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'provider:network_type': <object object at 0x7fc3ae693170>, 'shared': False, 'provider:segmentation_id': <object object at 0x7fc3ae693170>}

  I wonder if we should change the action to the url parameter and post
  the target as the post body.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1233707/+subscriptions