yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #92448
[Bug 2013326] Re: Trying to activate port binding as regular user causes error 500
Reviewed: https://review.opendev.org/c/openstack/neutron/+/884613
Committed: https://opendev.org/openstack/neutron/commit/61b358b6b5ac160c38af66b07454c26d6a93a0bd
Submitter: "Zuul (22348)"
Branch: master
commit 61b358b6b5ac160c38af66b07454c26d6a93a0bd
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date: Mon May 29 14:28:46 2023 +0200
[S-RBAC] Add API policies for get and activate port bindings
There wasn't policies for get port binding and activate port binding API
calls defined at all.
When we switched to new default policies and regular user wanted to make
call to activate port binding, it was error 500 what we returned instead
of proper 4xx error. It was like that as "get_port_binding" call which
was done internally during "activate" API request falled back to the
default policy which is "admin_or_owner" and as port binding resource
don't have project_id, owner couldn't be checked there.
Now it has defined S-RBAC policies for those API calls and it is allowed
for admin users only to solve that problem.
This patch don't define old, deprecated policies for those API calls as
it wasn't really needed there and we already switched to new policies by
default now.
Closes-Bug: #2013326
Change-Id: Id281e4950dc5d7bac62dfa8175d82cb1f8d2e855
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2013326
Title:
Trying to activate port binding as regular user causes error 500
Status in neutron:
Fix Released
Bug description:
doing API request like:
curl -g -i -X PUT -H "Accept: application/json" -H "User-Agent:
openstacksdk/1.0.1 keystoneauth1/5.1.2 python-requests/2.28.2
CPython/3.10.6" -H "X-Auth-Token: $token"
"http://10.120.0.40:9696/networking/v2.0/ports/e62c5fdf-265c-47d4-bf39-efce382b93bf/bindings/devstack-
ubuntu-ovn/activate"
will result in error 500 returned from Neutron:
curl -g -i -X PUT -H "Accept: application/json" -H "User-Agent: openstacksdk/1.0.1 keystoneauth1/5.1.2 python-requests/2.28.2 CPython/3.10.6" -H "X-Auth-Token: $token" "http://10.120.0.40:9696/networking/v2.0/ports/e62c5fdf-265c-47d4-bf39-efce382b93bf/bindings/devstack-ubuntu-ovn/activate";
HTTP/1.1 500 Internal Server Error
Content-Type: application/json
Content-Length: 212
X-Openstack-Request-Id: req-f185fcde-ab73-4b27-97fc-a3f6fef18541
Date: Thu, 30 Mar 2023 10:14:25 GMT
{"NeutronError": {"type": "PolicyCheckError", "message": "Failed to
check policy tenant_id:%(tenant_id)s because Unable to verify
match:%(tenant_id)s as the parent resource: tenant was not found.",
"detail": ""}}%
Stacktrace in Neutron log:
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: DEBUG neutron.policy [None req-f185fcde-ab73-4b27-97fc-a3f6fef18541 demo demo] Unable to find ':' as separator in tenant_id. {{(pid=235848) __call__ /opt/stack/neutron/neutron/policy.py:337}}
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.policy [None req-f185fcde-ab73-4b27-97fc-a3f6fef18541 demo demo] Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource [None req-f185fcde-ab73-4b27-97fc-a3f6fef18541 demo demo] activate failed: No details.: neutron_lib.exceptions.PolicyCheckError: Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource Traceback (most recent call last):
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/resource.py", line 98, in resource
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource result = method(request=request, **args)
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/neutron_lib/db/api.py", line 140, in wrapped
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource with excutils.save_and_reraise_exception():
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 227, in __exit__
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource self.force_reraise()
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource raise self.value
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/neutron_lib/db/api.py", line 138, in wrapped
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return f(*args, **kwargs)
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_db/api.py", line 144, in wrapper
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource with excutils.save_and_reraise_exception() as ectxt:
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 227, in __exit__
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource self.force_reraise()
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource raise self.value
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_db/api.py", line 142, in wrapper
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return f(*args, **kwargs)
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/neutron_lib/db/api.py", line 186, in wrapped
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource with excutils.save_and_reraise_exception():
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 227, in __exit__
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource self.force_reraise()
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource raise self.value
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/neutron_lib/db/api.py", line 184, in wrapped
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return f(*dup_args, **dup_kwargs)
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 234, in _handle_action
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource resource = self._item(request,
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 358, in _item
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource policy.enforce(request.context,
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/policy.py", line 520, in enforce
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource result = _ENFORCER.enforce(rule, target, context, action=action,
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/policy.py", line 1049, in enforce
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource result = _checks._check(
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 80, in _check
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return rule(*rule_args)
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 257, in __call__
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return _check(
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 80, in _check
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return rule(*rule_args)
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 257, in __call__
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return _check(
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 80, in _check
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return rule(*rule_args)
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 213, in __call__
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource if _check(rule, target, cred, enforcer, current_rule):
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 80, in _check
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return rule(*rule_args)
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 257, in __call__
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return _check(
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 80, in _check
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return rule(*rule_args)
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/policy.py", line 361, in __call__
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource raise exceptions.PolicyCheckError(
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource neutron_lib.exceptions.PolicyCheckError: Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource
Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: INFO neutron.wsgi [None req-f185fcde-ab73-4b27-97fc-a3f6fef18541 demo demo] 10.120.0.40 "PUT /networking/v2.0/ports/e62c5fdf-265c-47d4-bf39-efce382b93bf/bindings/devstack-ubuntu-ovn/activate HTTP/1.1" status: 500 len: 406 time: 0.4082420
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2013326/+subscriptions
References
