yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #74480
[Bug 1789499] [NEW] Policy.json get_service_profiles says admin_only but non-admin users can access api
Public bug reported:
Policy.json has these two lines:
"create_service_profile": "rule:admin_only",
"get_service_profiles": "rule:admin_only",
However get_service_profiles can be accessed without error by non-admin
user:
$ export OS_USERNAME=demo
$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-08-28T22:11:10+0000 |
| id | gAAAAABbhbpuuY6N3_jsujbYhGkotgjoVwlwynqVJ_Uot6RrvJtzqoL0vv74hJewGlx4WZB81ddK8J7hYUqltKtV4iN8VbvEvMuVIl8BPgkWHlDcJPC_SF-KYda6NMweldqkYcL65nc26n2Rzg5PhYGcCvEwIfyXLsnLCgJYcW09Se_utmqCXbM |
| project_id | 28f7717697d34265accbd0b348ee1e51 |
| user_id | 6465999184924e9d9fec2618b15ab277 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
devstack@devstack$ export MY_TOKEN=gAAAAABbhbpuuY6N3_jsujbYhGkotgjoVwlwynqVJ_Uot6RrvJtzqoL0vv74hJewGlx4WZB81ddK8J7hYUqltKtV4iN8VbvEvMuVIl8BPgkWHlDcJPC_SF-KYda6NMweldqkYcL65nc26n2Rzg5PhYGcCvEwIfyXLsnLCgJYcW09Se_utmqCXbM
devstack@devstack:/opt/stack/logs$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET http://127.0.0.1:9696/v2.0/service_profiles{"service_profiles": []}
I would expect an error similar to create_service_profile because they have the same admin_only policy:
$ curl -H "X-Auth-Token: $MY_TOKEN" -X POST http://127.0.0.1:9696/v2.0/service_profiles -d '{ "service_profile": { "enabled": "true", "description": "Dummy profile", "metainfo" : "{'foo': 'bar'}"}}'
{"NeutronError": {"message": "rule:create_service_profile is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
Please note, that despite not receiving an error, the non-admin user does get an empty list despite existing service_profiles:
$ export OS_USERNAME=admin
$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-08-28T22:15:06+0000 |
| id | gAAAAABbhbtaMytoBFfviejpK5m7OnlusCnp1p_gExNtsaxAbfD1egn0ljOBb93uXjyPOE6bhMj0hcvDa2CE_o9odPBQmIgZKAtOq9-_OLGUvZbq4ACZAG1_DvLYBCPsB2X8qoD2cvRxPGQKbWdnviuos-nHdtkKnfdhYt6UWBCa3gm7dcvr0EE |
| project_id | 28f7717697d34265accbd0b348ee1e51 |
| user_id | e935d2593d404a86ba0f58c5a84c8ae2 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
$ export MY_TOKEN=gAAAAABbhbtaMytoBFfviejpK5m7OnlusCnp1p_gExNtsaxAbfD1egn0ljOBb93uXjyPOE6bhMj0hcvDa2CE_o9odPBQmIgZKAtOq9-_OLGUvZbq4ACZAG1_DvLYBCPsB2X8qoD2cvRxPGQKbWdnviuos-nHdtkKnfdhYt6UWBCa3gm7dcvr0EE
$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET
http://127.0.0.1:9696/v2.0/service_profiles{"service_profiles": [{"id":
"a4e1544b-5296-46b8-bdb6-02f9d11eef2c", "enabled": true, "driver": "",
"description": "Dummy profile", "metainfo": "{foo: bar}"}]}
** Affects: neutron
Importance: Undecided
Status: New
** Tags: flavors policy
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1789499
Title:
Policy.json get_service_profiles says admin_only but non-admin users
can access api
Status in neutron:
New
Bug description:
Policy.json has these two lines:
"create_service_profile": "rule:admin_only",
"get_service_profiles": "rule:admin_only",
However get_service_profiles can be accessed without error by non-
admin user:
$ export OS_USERNAME=demo
$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-08-28T22:11:10+0000 |
| id | gAAAAABbhbpuuY6N3_jsujbYhGkotgjoVwlwynqVJ_Uot6RrvJtzqoL0vv74hJewGlx4WZB81ddK8J7hYUqltKtV4iN8VbvEvMuVIl8BPgkWHlDcJPC_SF-KYda6NMweldqkYcL65nc26n2Rzg5PhYGcCvEwIfyXLsnLCgJYcW09Se_utmqCXbM |
| project_id | 28f7717697d34265accbd0b348ee1e51 |
| user_id | 6465999184924e9d9fec2618b15ab277 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
devstack@devstack$ export MY_TOKEN=gAAAAABbhbpuuY6N3_jsujbYhGkotgjoVwlwynqVJ_Uot6RrvJtzqoL0vv74hJewGlx4WZB81ddK8J7hYUqltKtV4iN8VbvEvMuVIl8BPgkWHlDcJPC_SF-KYda6NMweldqkYcL65nc26n2Rzg5PhYGcCvEwIfyXLsnLCgJYcW09Se_utmqCXbM
devstack@devstack:/opt/stack/logs$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET http://127.0.0.1:9696/v2.0/service_profiles{"service_profiles": []}
I would expect an error similar to create_service_profile because they have the same admin_only policy:
$ curl -H "X-Auth-Token: $MY_TOKEN" -X POST http://127.0.0.1:9696/v2.0/service_profiles -d '{ "service_profile": { "enabled": "true", "description": "Dummy profile", "metainfo" : "{'foo': 'bar'}"}}'
{"NeutronError": {"message": "rule:create_service_profile is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
Please note, that despite not receiving an error, the non-admin user does get an empty list despite existing service_profiles:
$ export OS_USERNAME=admin
$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-08-28T22:15:06+0000 |
| id | gAAAAABbhbtaMytoBFfviejpK5m7OnlusCnp1p_gExNtsaxAbfD1egn0ljOBb93uXjyPOE6bhMj0hcvDa2CE_o9odPBQmIgZKAtOq9-_OLGUvZbq4ACZAG1_DvLYBCPsB2X8qoD2cvRxPGQKbWdnviuos-nHdtkKnfdhYt6UWBCa3gm7dcvr0EE |
| project_id | 28f7717697d34265accbd0b348ee1e51 |
| user_id | e935d2593d404a86ba0f58c5a84c8ae2 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
$ export MY_TOKEN=gAAAAABbhbtaMytoBFfviejpK5m7OnlusCnp1p_gExNtsaxAbfD1egn0ljOBb93uXjyPOE6bhMj0hcvDa2CE_o9odPBQmIgZKAtOq9-_OLGUvZbq4ACZAG1_DvLYBCPsB2X8qoD2cvRxPGQKbWdnviuos-nHdtkKnfdhYt6UWBCa3gm7dcvr0EE
$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET
http://127.0.0.1:9696/v2.0/service_profiles{"service_profiles":
[{"id": "a4e1544b-5296-46b8-bdb6-02f9d11eef2c", "enabled": true,
"driver": "", "description": "Dummy profile", "metainfo": "{foo:
bar}"}]}
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1789499/+subscriptions
