yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1699717] Re: Updating of firewall-rule while attached to firewall via non-admin user shows exception on Horizon

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Akihiro Motoki <1699717@xxxxxxxxxxxxxxxxxx>
Date: Wed, 28 Jun 2017 16:35:47 -0000
Reply-to: Bug 1699717 <1699717@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: neutron-fwaas-dashboard
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1699717

Title:
  Updating of firewall-rule while attached to firewall via non-admin
  user shows exception on Horizon

Status in OpenStack Dashboard (Horizon):
  In Progress
Status in Neutron FWaaS dashboard:
  New

Bug description:
  Created non-admin user using below commands:-
  # openstack project create sam
  # openstack user create --password openstack --project acdc3b0348224a019878d628cc40681c sam-user
  # openstack role create user-role
  # openstack role add  --project acdc3b0348224a019878d628cc40681c --user sam-user user-role

  Steps:-
  1) Created firewall-rule 
  2) Created firewall policy and firewall-rule.
  3) Created firewall and add firewall-policy to it
  4) Now try to update firewall-rule using non-admin user it shows exception.
  Error: Failed to update rule fire-rule-sam: {u'protocol': u'tcp', u'description': u'', 'attributes_to_update': [u'protocol', u'name', u'enabled', u'source_ip_address', u'destination_ip_address', u'action', u'source_port', u'shared', u'destination_port', u'ip_version', u'description'], u'source_port': None, u'source_ip_address': None, u'destination_ip_address': None, 'firewall_policy_id': u'ce84a478-3eaf-45ba-9d00-2f82b90916e4', u'destination_port': None, 'id': u'86850f40-6b26-4849-8eb9-f65b4136cf87', u'name': u'fire-rule-sam', 'tenant_id': u'acdc3b0348224a019878d628cc40681c', u'enabled': True, u'action': u'allow', 'shared': False, 'project_id': u'acdc3b0348224a019878d628cc40681c', u'ip_version': 4} is disallowed by policy rule (rule:update_firewall_rule and rule:update_firewall_rule:shared) with {'project_id': u'acdc3b0348224a019878d628cc40681c', 'domain': None, 'project_name': u'sam', 'user_id': u'2e4470864c674331bec8b9f25d546e04', 'roles': [u'user-role'], 'user_domain_id': None, 'service_project_id': None, 'project_domain': None, 'tenant_id': u'acdc3b0348224a019878d628cc40681c', 'service_user_domain_id': None, 'service_project_domain_id': None, 

  But issue doesn't comes when using cli command to update firewall-rules for non-admin user.
  Use credentials for non-admin tenant then run below command:-

  $  neutron firewall-rule-update 86850f40-6b26-4849-8eb9-f65b4136cf87 --protocol tcp --action reject
  Updated firewall_rule: 86850f40-6b26-4849-8eb9-f65b4136cf87

  So above command via cli is executed fine but with horizon it shows
  issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1699717/+subscriptions

References

[Bug 1699717] [NEW] Updating of firewall-rule while attached to firewall via non-admin user shows exception on Horizon
From: Puneet Arora, 2017-06-22