yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #87976
[Bug 1956091] [NEW] Security Group Rule Wrong Project Id
Public bug reported:
Hello,
We create a role with `security_admin` name for our security team and we
allow to add/delete security rules for projects. But our sec team could
not delete some rules. When we investigate the issue, we saw some
security group rules are created with wrong project_id. We detected how
it can be possible. I write tested scenario;
1. Enter security group page for a project
2. Click `Add Rule` button
3. Then open a new browser tab and switch another project
4. Return to older `Add Rule` page then add new rule
Then when we controlled to security group rule's project id, we saw
wrong project_id. So our security_admin role could not delete the rule.
We have a 2 question.
1) Is there any buggy issues for wrong sg rule' project_id value when a new browser tab opened with another project.
# List projects with ids
(openstack-client) ➜ ~ openstack project list
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| f9300721d2ab44909a1aeba228bbb4db | ProjectA |
| 42c15a29b6c14e53b36b8eb16bfcc31d | ProjectB |
+----------------------------------+------------+
# Create sg for `ProjectA` project and see sg's project_id
(openstack-client) ➜ ~ openstack security group show my-sg-test
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2021-12-31T08:07:13Z |
| description | |
| id | 6f223ca4-4cd1-4445-a94b-93029c69a261 |
| name | my-sg-test |
| project_id | f9300721d2ab44909a1aeba228bbb4db |
| revision_number | 1 |
| rules | created_at='2021-12-31T08:50:51Z', description='custom rule', direction='ingress', ethertype='IPv4', id='395e5fd7-7df3-4d37-b321-7482e7f5c8c4', remote_ip_prefix='0.0.0.0/0', updated_at='2021-12-31T08:50:51Z' |
| | created_at='2021-12-31T08:45:27Z', direction='egress', ethertype='IPv4', id='b7040dd6-4416-45a7-9d59-c40c6d2948f9', updated_at='2021-12-31T08:45:27Z' |
| | created_at='2021-12-31T08:45:27Z', direction='egress', ethertype='IPv6', id='d4753ff6-66ef-4f9d-89cc-1ff1478d69fd', updated_at='2021-12-31T08:45:27Z' |
| stateful | True |
| tags | [] |
| updated_at | 2021-12-31T08:07:13Z |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
# Create sg rule like explained scenario. Then check sg rule's project_id
(openstack-client) ➜ ~ openstack security group rule show 395e5fd7-7df3-4d37-b321-7482e7f5c8c4
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2021-12-31T08:50:51Z |
| description | custom rule |
| direction | ingress |
| ether_type | IPv4 |
| id | 395e5fd7-7df3-4d37-b321-7482e7f5c8c4 |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | 42c15a29b6c14e53b36b8eb16bfcc31d |
| protocol | None |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 6f223ca4-4cd1-4445-a94b-93029c69a261 |
| tags | [] |
| updated_at | 2021-12-31T08:50:51Z |
+-------------------------+--------------------------------------+
Security group's project_id and security group rule's project_id is not same.
When deleting rule over horizon, we see warning like Error: Unable to
delete rule: ALLOW IPv4 from 0.0.0.0/0
When deleting rule over cli, we see these logs;
...
RESP BODY: {"security_group_rule": {"id": "395e5fd7-7df3-4d37-b321-7482e7f5c8c4", "tenant_id": "42c15a29b6c14e53b36b8eb16bfcc31d", "security_group_id": "6f223ca4-4cd1-4445-a94b-93029c69a261", "ethertype": "IPv4", "direction": "ingress", "protocol": null, "port_range_min": null, "port_range_max": null, "remote_ip_prefix": "0.0.0.0/0", "remote_group_id": null, "description": "custom rule", "created_at": "2021-12-31T08:50:51Z", "updated_at": "2021-12-31T08:50:51Z", "revision_number": 0, "project_id": "42c15a29b6c14e53b36b8eb16bfcc31d"}}
GET call to network for https://my.domain.com:9696/v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 used request id req-83b10a86-ddd5-4112-bff1-abf075d5a2d7
REQ: curl -g -i -X DELETE https://my.domain.com:9696/v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 -H "User-Agent: openstacksdk/0.55.0 keystoneauth1/4.3.1 python-requests/2.25.1 CPython/3.8.2" -H "X-Auth-Token: {SHA256}9dlgorpsjg8493de05897b25a12b0d07gksl5lrt8abe28ef8f582451ef71hjkf5"
https://my.domain.com:9696 "DELETE /v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 HTTP/1.1" 404 155
RESP: [404] content-length: 155 content-type: application/json date: Fri, 31 Dec 2021 08:52:14 GMT x-openstack-request-id: req-3ab4f5b0-836c-4b5e-b026-9c2a8898ffd2
RESP BODY: {"NeutronError": {"type": "SecurityGroupRuleNotFound", "message": "Security group rule 395e5fd7-7df3-4d37-b321-7482e7f5c8c4 does not exist", "detail": ""}}
DELETE call to network for https://my.domain.com:9696/v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 used request id req-3ab4f5b0-836c-4b5e-b026-9c2a8898ffd2
clean_up DeleteSecurityGroupRule:
2) We gave all sg permissions to `security_admin` role but why dont they
delete sg rule? Is there any wrong or missing permissions? (We assgined
to group with security_admin role in project permissions)
(horizon)[root@osp-test-controller-01 openstack-dashboard]# cat neutron_policy.yaml
"context_is_admin": "role:admin"
"admin_only": "rule:context_is_admin"
"security_admin": "role:security_admin"
"admin_or_security_admin": "rule:admin_only or rule:security_admin"
...
"create_security_group": "rule:admin_or_security_admin"
"get_security_group": "rule:admin_or_security_admin"
"update_security_group": "rule:admin_or_security_admin"
"delete_security_group": "rule:admin_or_security_admin"
"create_security_group_rule": "rule:admin_or_security_admin"
"get_security_group_rule": "rule:admin_or_security_admin"
"delete_security_group_rule": "rule:admin_or_security_admin"
...
Expected result
===============
New role members can delete the sg rule
Actual result
=============
New role members cant delete the sg rule
Environment
===========
OpenStack Victoria Cluster installed via kolla-ansible to Ubuntu 20.04.2 LTS Hosts. (Kernel:5.4.0-90-generic)
horizon version : 18.6.3.dev29
Networking Type: Neutron with OpenVSwitch |"neutron-openvswitch-agent", "neutron-l3-agent" and "neutron-server" version is "17.2.2.dev46"
** Affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1956091
Title:
Security Group Rule Wrong Project Id
Status in OpenStack Dashboard (Horizon):
New
Bug description:
Hello,
We create a role with `security_admin` name for our security team and
we allow to add/delete security rules for projects. But our sec team
could not delete some rules. When we investigate the issue, we saw
some security group rules are created with wrong project_id. We
detected how it can be possible. I write tested scenario;
1. Enter security group page for a project
2. Click `Add Rule` button
3. Then open a new browser tab and switch another project
4. Return to older `Add Rule` page then add new rule
Then when we controlled to security group rule's project id, we saw
wrong project_id. So our security_admin role could not delete the
rule. We have a 2 question.
1) Is there any buggy issues for wrong sg rule' project_id value when a new browser tab opened with another project.
# List projects with ids
(openstack-client) ➜ ~ openstack project list
+----------------------------------+------------+
| ID | Name |
+----------------------------------+------------+
| f9300721d2ab44909a1aeba228bbb4db | ProjectA |
| 42c15a29b6c14e53b36b8eb16bfcc31d | ProjectB |
+----------------------------------+------------+
# Create sg for `ProjectA` project and see sg's project_id
(openstack-client) ➜ ~ openstack security group show my-sg-test
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2021-12-31T08:07:13Z |
| description | |
| id | 6f223ca4-4cd1-4445-a94b-93029c69a261 |
| name | my-sg-test |
| project_id | f9300721d2ab44909a1aeba228bbb4db |
| revision_number | 1 |
| rules | created_at='2021-12-31T08:50:51Z', description='custom rule', direction='ingress', ethertype='IPv4', id='395e5fd7-7df3-4d37-b321-7482e7f5c8c4', remote_ip_prefix='0.0.0.0/0', updated_at='2021-12-31T08:50:51Z' |
| | created_at='2021-12-31T08:45:27Z', direction='egress', ethertype='IPv4', id='b7040dd6-4416-45a7-9d59-c40c6d2948f9', updated_at='2021-12-31T08:45:27Z' |
| | created_at='2021-12-31T08:45:27Z', direction='egress', ethertype='IPv6', id='d4753ff6-66ef-4f9d-89cc-1ff1478d69fd', updated_at='2021-12-31T08:45:27Z' |
| stateful | True |
| tags | [] |
| updated_at | 2021-12-31T08:07:13Z |
+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+
# Create sg rule like explained scenario. Then check sg rule's project_id
(openstack-client) ➜ ~ openstack security group rule show 395e5fd7-7df3-4d37-b321-7482e7f5c8c4
+-------------------------+--------------------------------------+
| Field | Value |
+-------------------------+--------------------------------------+
| created_at | 2021-12-31T08:50:51Z |
| description | custom rule |
| direction | ingress |
| ether_type | IPv4 |
| id | 395e5fd7-7df3-4d37-b321-7482e7f5c8c4 |
| name | None |
| port_range_max | None |
| port_range_min | None |
| project_id | 42c15a29b6c14e53b36b8eb16bfcc31d |
| protocol | None |
| remote_address_group_id | None |
| remote_group_id | None |
| remote_ip_prefix | 0.0.0.0/0 |
| revision_number | 0 |
| security_group_id | 6f223ca4-4cd1-4445-a94b-93029c69a261 |
| tags | [] |
| updated_at | 2021-12-31T08:50:51Z |
+-------------------------+--------------------------------------+
Security group's project_id and security group rule's project_id is not same.
When deleting rule over horizon, we see warning like Error: Unable to
delete rule: ALLOW IPv4 from 0.0.0.0/0
When deleting rule over cli, we see these logs;
...
RESP BODY: {"security_group_rule": {"id": "395e5fd7-7df3-4d37-b321-7482e7f5c8c4", "tenant_id": "42c15a29b6c14e53b36b8eb16bfcc31d", "security_group_id": "6f223ca4-4cd1-4445-a94b-93029c69a261", "ethertype": "IPv4", "direction": "ingress", "protocol": null, "port_range_min": null, "port_range_max": null, "remote_ip_prefix": "0.0.0.0/0", "remote_group_id": null, "description": "custom rule", "created_at": "2021-12-31T08:50:51Z", "updated_at": "2021-12-31T08:50:51Z", "revision_number": 0, "project_id": "42c15a29b6c14e53b36b8eb16bfcc31d"}}
GET call to network for https://my.domain.com:9696/v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 used request id req-83b10a86-ddd5-4112-bff1-abf075d5a2d7
REQ: curl -g -i -X DELETE https://my.domain.com:9696/v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 -H "User-Agent: openstacksdk/0.55.0 keystoneauth1/4.3.1 python-requests/2.25.1 CPython/3.8.2" -H "X-Auth-Token: {SHA256}9dlgorpsjg8493de05897b25a12b0d07gksl5lrt8abe28ef8f582451ef71hjkf5"
https://my.domain.com:9696 "DELETE /v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 HTTP/1.1" 404 155
RESP: [404] content-length: 155 content-type: application/json date: Fri, 31 Dec 2021 08:52:14 GMT x-openstack-request-id: req-3ab4f5b0-836c-4b5e-b026-9c2a8898ffd2
RESP BODY: {"NeutronError": {"type": "SecurityGroupRuleNotFound", "message": "Security group rule 395e5fd7-7df3-4d37-b321-7482e7f5c8c4 does not exist", "detail": ""}}
DELETE call to network for https://my.domain.com:9696/v2.0/security-group-rules/395e5fd7-7df3-4d37-b321-7482e7f5c8c4 used request id req-3ab4f5b0-836c-4b5e-b026-9c2a8898ffd2
clean_up DeleteSecurityGroupRule:
2) We gave all sg permissions to `security_admin` role but why dont
they delete sg rule? Is there any wrong or missing permissions? (We
assgined to group with security_admin role in project permissions)
(horizon)[root@osp-test-controller-01 openstack-dashboard]# cat neutron_policy.yaml
"context_is_admin": "role:admin"
"admin_only": "rule:context_is_admin"
"security_admin": "role:security_admin"
"admin_or_security_admin": "rule:admin_only or rule:security_admin"
...
"create_security_group": "rule:admin_or_security_admin"
"get_security_group": "rule:admin_or_security_admin"
"update_security_group": "rule:admin_or_security_admin"
"delete_security_group": "rule:admin_or_security_admin"
"create_security_group_rule": "rule:admin_or_security_admin"
"get_security_group_rule": "rule:admin_or_security_admin"
"delete_security_group_rule": "rule:admin_or_security_admin"
...
Expected result
===============
New role members can delete the sg rule
Actual result
=============
New role members cant delete the sg rule
Environment
===========
OpenStack Victoria Cluster installed via kolla-ansible to Ubuntu 20.04.2 LTS Hosts. (Kernel:5.4.0-90-generic)
horizon version : 18.6.3.dev29
Networking Type: Neutron with OpenVSwitch |"neutron-openvswitch-agent", "neutron-l3-agent" and "neutron-server" version is "17.2.2.dev46"
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1956091/+subscriptions
