[Openstack-security] [Bug 1552291] Re: User with permissions can not set 'unshared' Murano package to 'shared'

Victor Ryzhenkin vryzhenkin at mirantis.com
Wed Mar 2 22:10:13 UTC 2016


** Information type changed from Public to Private Security

** Tags added: liberty-backport-potential security

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1552291

Title:
  User with permissions can not set 'unshared' Murano package to
  'shared'

Status in Murano:
  Triaged
Status in Murano liberty series:
  Triaged
Status in Murano mitaka series:
  Triaged

Bug description:
  Hello,
  Please take a look at the issue below.
  Globally the problem is that user with permissions can't update Murano package.
  My env is: MOS 8.0 with ISO:589 (HA with vlan, murano, cinder and disabled SSL: 2x controllers; 3x compute,cinder)

  Actions performed from controller:

  1) OK - Perform actions as admin user:
  # . openrc

  2) OK - Create new role:
  # openstack role create 'can_publicize_packages'
      +-------+----------------------------------+
      | Field | Value |
      +-------+----------------------------------+
      | id | cdb2bf1c7cba4c188792481e9bfdf449 |
      | name | can_publicize_packages |
      +-------+----------------------------------+

  3) OK - List roles:
  # openstack role list
      +----------------------------------+------------------------+
      | ID | Name |
      +----------------------------------+------------------------+
       . . . .
      | cdb2bf1c7cba4c188792481e9bfdf449 | can_publicize_packages |
      +----------------------------------+------------------------+

  4) OK - Create new user inside 'services' project:
  # openstack user create '_test_user' --password 'password' --project 'services'
      +------------+----------------------------------+
      | Field | Value |
      +------------+----------------------------------+
      | email | None |
      | enabled | True |
      | id | e9783de276d64c0189df2c5a5ff79a63 |
      | name | _test_user |
      | project_id | fa38dcb711a24e979f1cd88486a9965e |
      | username | _test_user |
      +------------+----------------------------------+

  5) OK - Assign new role to the new user:
  # openstack role add 'can_publicize_packages' --user '_test_user' --project 'services'
      +-------+----------------------------------+
      | Field | Value |
      +-------+----------------------------------+
      | id | cdb2bf1c7cba4c188792481e9bfdf449 |
      | name | can_publicize_packages |
      +-------+----------------------------------+

  6) NOK - Check new role for :
  # openstack user role list '_test_user'
      {empty output}

    \\ I suppose it is expected to have some output here.

  7) OK - Try to assign again the same role to the same user:
  # openstack role add 'can_publicize_packages' --user '_test_user' --project 'services'
      Conflict occurred attempting to store role grant -
      User e9783de276d64c0189df2c5a5ff79a63 already has role
      cdb2bf1c7cba4c188792481e9bfdf449
      in tenant fa38dcb711a24e979f1cd88486a9965e
    (HTTP 409) (Request-ID: req-90460dca-6001-4c1d-90de-212aec294942)

   \\ So, seems, that role was actually assigned to the user.

  5) OK - On all two controllers add new role to /etc/murano/policy.json:
  # cp /etc/murano/policy.json /etc/murano/policy.json_orig
  # vim /etc/murano/policy.json
      from:
    "publicize_package": "rule:admin_api",
      to:
      "publicize_package": "rule:admin_api or role:can_publicize_packages",
      ### The same with:
      "publicize_package": ["rule:admin_api", "role:can_publicize_packages"],

  6) OK - On all two controllers restart some Murano services:
  # service murano-api restart ; service murano-engine restart
      murano-api stop/waiting
      murano-api start/running, process 5597
      murano-engine stop/waiting
      murano-engine start/running, process 5627

  6) OK - Change env to '_test_user' and 'services' project:
  # export OS_TENANT_NAME='services' ; export OS_PROJECT_NAME='services' ; export OS_USERNAME='_test_user' ; export OS_PASSWORD='password'

  7) OK - As a '_test_user' import Murano pkg:
  # murano --murano-repo-url=http://storage.apps.openstack.org package-import 'io.murano.apps.docker.Interfaces'
      Package file 'io.murano.apps.docker.Interfaces' does not exist, attempting to download
      Importing package io.murano.apps.docker.Interfaces
      +----------------------------------+--------------------------+----------------------------------+---------------+-----------+
      | ID | Name | FQN | Author | Is Public |
      +----------------------------------+--------------------------+----------------------------------+---------------+-----------+
      | 90fee6d0e41b441f9e8c4b29d89497aa | Core library | io.murano | murano.io | True |
      | 6c36dc3f149744ca8b18c5e1527b74ef | Docker Interface Library | io.murano.apps.docker.Interfaces | Mirantis, Inc | |
   +----------------------------------+--------------------------+----------------------------------+---------------+-----------+

  8) NOK - As a '_test_user' update imported pkg with Public=TRUE:
  # murano package-update '6c36dc3f149744ca8b18c5e1527b74ef' --is-public true
      403 Forbidden: Access was denied to this resource. (HTTP 403)

   \\ After step (5) it is expected for a new user to have ability to
  update imported packages.

  Please find logs for the last step (8) attached.
  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/murano/+bug/1552291/+subscriptions




More information about the Openstack-security mailing list