← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1789499] [NEW] Policy.json get_service_profiles says admin_only but non-admin users can access api

 

Public bug reported:

Policy.json has these two lines:
    "create_service_profile": "rule:admin_only",
    "get_service_profiles": "rule:admin_only",


However get_service_profiles can be accessed without error by non-admin
user:

$ export OS_USERNAME=demo
$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2018-08-28T22:11:10+0000                                                                                                                                                                |
| id         | gAAAAABbhbpuuY6N3_jsujbYhGkotgjoVwlwynqVJ_Uot6RrvJtzqoL0vv74hJewGlx4WZB81ddK8J7hYUqltKtV4iN8VbvEvMuVIl8BPgkWHlDcJPC_SF-KYda6NMweldqkYcL65nc26n2Rzg5PhYGcCvEwIfyXLsnLCgJYcW09Se_utmqCXbM |
| project_id | 28f7717697d34265accbd0b348ee1e51                                                                                                                                                        |
| user_id    | 6465999184924e9d9fec2618b15ab277                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
devstack@devstack$ export MY_TOKEN=gAAAAABbhbpuuY6N3_jsujbYhGkotgjoVwlwynqVJ_Uot6RrvJtzqoL0vv74hJewGlx4WZB81ddK8J7hYUqltKtV4iN8VbvEvMuVIl8BPgkWHlDcJPC_SF-KYda6NMweldqkYcL65nc26n2Rzg5PhYGcCvEwIfyXLsnLCgJYcW09Se_utmqCXbM
devstack@devstack:/opt/stack/logs$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET http://127.0.0.1:9696/v2.0/service_profiles{"service_profiles": []}


I would expect an error similar to create_service_profile because they have the same admin_only policy:

$ curl -H "X-Auth-Token: $MY_TOKEN" -X POST http://127.0.0.1:9696/v2.0/service_profiles -d '{ "service_profile": { "enabled": "true", "description": "Dummy profile", "metainfo" : "{'foo': 'bar'}"}}'
{"NeutronError": {"message": "rule:create_service_profile is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}


Please note, that despite not receiving an error, the non-admin user does get an empty list despite existing service_profiles:

$ export OS_USERNAME=admin
$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2018-08-28T22:15:06+0000                                                                                                                                                                |
| id         | gAAAAABbhbtaMytoBFfviejpK5m7OnlusCnp1p_gExNtsaxAbfD1egn0ljOBb93uXjyPOE6bhMj0hcvDa2CE_o9odPBQmIgZKAtOq9-_OLGUvZbq4ACZAG1_DvLYBCPsB2X8qoD2cvRxPGQKbWdnviuos-nHdtkKnfdhYt6UWBCa3gm7dcvr0EE |
| project_id | 28f7717697d34265accbd0b348ee1e51                                                                                                                                                        |
| user_id    | e935d2593d404a86ba0f58c5a84c8ae2                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
$ export MY_TOKEN=gAAAAABbhbtaMytoBFfviejpK5m7OnlusCnp1p_gExNtsaxAbfD1egn0ljOBb93uXjyPOE6bhMj0hcvDa2CE_o9odPBQmIgZKAtOq9-_OLGUvZbq4ACZAG1_DvLYBCPsB2X8qoD2cvRxPGQKbWdnviuos-nHdtkKnfdhYt6UWBCa3gm7dcvr0EE

$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET
http://127.0.0.1:9696/v2.0/service_profiles{"service_profiles": [{"id":
"a4e1544b-5296-46b8-bdb6-02f9d11eef2c", "enabled": true, "driver": "",
"description": "Dummy profile", "metainfo": "{foo: bar}"}]}

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: flavors policy

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1789499

Title:
  Policy.json get_service_profiles says admin_only but non-admin users
  can access api

Status in neutron:
  New

Bug description:
  Policy.json has these two lines:
      "create_service_profile": "rule:admin_only",
      "get_service_profiles": "rule:admin_only",


  However get_service_profiles can be accessed without error by non-
  admin user:

  $ export OS_USERNAME=demo
  $ openstack token issue
  +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  | Field      | Value                                                                                                                                                                                   |
  +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  | expires    | 2018-08-28T22:11:10+0000                                                                                                                                                                |
  | id         | gAAAAABbhbpuuY6N3_jsujbYhGkotgjoVwlwynqVJ_Uot6RrvJtzqoL0vv74hJewGlx4WZB81ddK8J7hYUqltKtV4iN8VbvEvMuVIl8BPgkWHlDcJPC_SF-KYda6NMweldqkYcL65nc26n2Rzg5PhYGcCvEwIfyXLsnLCgJYcW09Se_utmqCXbM |
  | project_id | 28f7717697d34265accbd0b348ee1e51                                                                                                                                                        |
  | user_id    | 6465999184924e9d9fec2618b15ab277                                                                                                                                                        |
  +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  devstack@devstack$ export MY_TOKEN=gAAAAABbhbpuuY6N3_jsujbYhGkotgjoVwlwynqVJ_Uot6RrvJtzqoL0vv74hJewGlx4WZB81ddK8J7hYUqltKtV4iN8VbvEvMuVIl8BPgkWHlDcJPC_SF-KYda6NMweldqkYcL65nc26n2Rzg5PhYGcCvEwIfyXLsnLCgJYcW09Se_utmqCXbM
  devstack@devstack:/opt/stack/logs$ curl -H "X-Auth-Token: $MY_TOKEN" -X GET http://127.0.0.1:9696/v2.0/service_profiles{"service_profiles": []}

  
  I would expect an error similar to create_service_profile because they have the same admin_only policy:

  $ curl -H "X-Auth-Token: $MY_TOKEN" -X POST http://127.0.0.1:9696/v2.0/service_profiles -d '{ "service_profile": { "enabled": "true", "description": "Dummy profile", "metainfo" : "{'foo': 'bar'}"}}'
  {"NeutronError": {"message": "rule:create_service_profile is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}

  
  Please note, that despite not receiving an error, the non-admin user does get an empty list despite existing service_profiles:

  $ export OS_USERNAME=admin
  $ openstack token issue
  +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  | Field      | Value                                                                                                                                                                                   |
  +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  | expires    | 2018-08-28T22:15:06+0000                                                                                                                                                                |
  | id         | gAAAAABbhbtaMytoBFfviejpK5m7OnlusCnp1p_gExNtsaxAbfD1egn0ljOBb93uXjyPOE6bhMj0hcvDa2CE_o9odPBQmIgZKAtOq9-_OLGUvZbq4ACZAG1_DvLYBCPsB2X8qoD2cvRxPGQKbWdnviuos-nHdtkKnfdhYt6UWBCa3gm7dcvr0EE |
  | project_id | 28f7717697d34265accbd0b348ee1e51                                                                                                                                                        |
  | user_id    | e935d2593d404a86ba0f58c5a84c8ae2                                                                                                                                                        |
  +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  $ export MY_TOKEN=gAAAAABbhbtaMytoBFfviejpK5m7OnlusCnp1p_gExNtsaxAbfD1egn0ljOBb93uXjyPOE6bhMj0hcvDa2CE_o9odPBQmIgZKAtOq9-_OLGUvZbq4ACZAG1_DvLYBCPsB2X8qoD2cvRxPGQKbWdnviuos-nHdtkKnfdhYt6UWBCa3gm7dcvr0EE

  $ curl -H "X-Auth-Token: $MY_TOKEN" -X GET
  http://127.0.0.1:9696/v2.0/service_profiles{"service_profiles":
  [{"id": "a4e1544b-5296-46b8-bdb6-02f9d11eef2c", "enabled": true,
  "driver": "", "description": "Dummy profile", "metainfo": "{foo:
  bar}"}]}

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1789499/+subscriptions