yahoo-eng-team team mailing list archive

[OpenStack Infra <1699717@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/481008
Committed: https://git.openstack.org/cgit/openstack/neutron-fwaas-dashboard/commit/?id=a767cef2ad7973696b1723e17f518cc6435aaacc
Submitter: Jenkins
Branch:    master

commit a767cef2ad7973696b1723e17f518cc6435aaacc
Author: Adit Sarfaty <asarfaty@xxxxxxxxxx>
Date:   Thu Jul 6 15:09:07 2017 +0300

    Fix FWaaS create/update rule with non-admin
    
    Creating and updating a shared rule is forbidden for non admin user.
    
    This patch makes sure the 'shared' attribute is disabled, and not added
    to the request body of the update request, so the request will not fail
    in neutron.
    
    Change-Id: I439947198bd9b0a647640f3f663ba7029b2507b4
    Closes-Bug: #1699717


** Changed in: neutron-fwaas-dashboard
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1699717

Title:
  Updating of firewall-rule while attached to firewall via non-admin
  user shows exception on Horizon

Status in OpenStack Dashboard (Horizon):
  In Progress
Status in Neutron FWaaS dashboard:
  Fix Released

Bug description:
  Created non-admin user using below commands:-
  # openstack project create sam
  # openstack user create --password openstack --project acdc3b0348224a019878d628cc40681c sam-user
  # openstack role create user-role
  # openstack role add  --project acdc3b0348224a019878d628cc40681c --user sam-user user-role

  Steps:-
  1) Created firewall-rule 
  2) Created firewall policy and firewall-rule.
  3) Created firewall and add firewall-policy to it
  4) Now try to update firewall-rule using non-admin user it shows exception.
  Error: Failed to update rule fire-rule-sam: {u'protocol': u'tcp', u'description': u'', 'attributes_to_update': [u'protocol', u'name', u'enabled', u'source_ip_address', u'destination_ip_address', u'action', u'source_port', u'shared', u'destination_port', u'ip_version', u'description'], u'source_port': None, u'source_ip_address': None, u'destination_ip_address': None, 'firewall_policy_id': u'ce84a478-3eaf-45ba-9d00-2f82b90916e4', u'destination_port': None, 'id': u'86850f40-6b26-4849-8eb9-f65b4136cf87', u'name': u'fire-rule-sam', 'tenant_id': u'acdc3b0348224a019878d628cc40681c', u'enabled': True, u'action': u'allow', 'shared': False, 'project_id': u'acdc3b0348224a019878d628cc40681c', u'ip_version': 4} is disallowed by policy rule (rule:update_firewall_rule and rule:update_firewall_rule:shared) with {'project_id': u'acdc3b0348224a019878d628cc40681c', 'domain': None, 'project_name': u'sam', 'user_id': u'2e4470864c674331bec8b9f25d546e04', 'roles': [u'user-role'], 'user_domain_id': None, 'service_project_id': None, 'project_domain': None, 'tenant_id': u'acdc3b0348224a019878d628cc40681c', 'service_user_domain_id': None, 'service_project_domain_id': None, 

  But issue doesn't comes when using cli command to update firewall-rules for non-admin user.
  Use credentials for non-admin tenant then run below command:-

  $  neutron firewall-rule-update 86850f40-6b26-4849-8eb9-f65b4136cf87 --protocol tcp --action reject
  Updated firewall_rule: 86850f40-6b26-4849-8eb9-f65b4136cf87

  So above command via cli is executed fine but with horizon it shows
  issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1699717/+subscriptions