[Openstack-security] [Bug 1552291] Re: User with permissions can not set 'unshared' Murano package to 'shared'
OpenStack Infra
1552291 at bugs.launchpad.net
Thu Mar 3 14:21:45 UTC 2016
Reviewed: https://review.openstack.org/287480
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=53845d84e79ebc7f34745d21da58cab6b8276fac
Submitter: Jenkins
Branch: master
commit 53845d84e79ebc7f34745d21da58cab6b8276fac
Author: Kirill Zaitsev <k.zaitsev at me.com>
Date: Thu Mar 3 01:15:33 2016 +0300
Add roles to RequestContext.to_dict if they're not there
Old versions of oslo_context do not include rules in to_dict()
However roles are required for newer versions of oslo_policy to operate
and resolve 'role:xxx' rules.
Since minimal version for oslo_context is 0.2.0 and commit, that adds
roles has been added only in 2.2.0 we should support old versions of
oslo_context with newer version.
Change-Id: If35726613bec5d342bad72b542215ec8e5c096a2
Closes-Bug: #1552291
** Changed in: murano
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1552291
Title:
User with permissions can not set 'unshared' Murano package to
'shared'
Status in Murano:
Fix Released
Status in Murano liberty series:
In Progress
Status in Murano mitaka series:
Fix Released
Bug description:
Hello,
Please take a look at the issue below.
Globally the problem is that user with permissions can't update Murano package.
My env is: MOS 8.0 with ISO:589 (HA with vlan, murano, cinder and disabled SSL: 2x controllers; 3x compute,cinder)
Actions performed from controller:
1) OK - Perform actions as admin user:
# . openrc
2) OK - Create new role:
# openstack role create 'can_publicize_packages'
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cdb2bf1c7cba4c188792481e9bfdf449 |
| name | can_publicize_packages |
+-------+----------------------------------+
3) OK - List roles:
# openstack role list
+----------------------------------+------------------------+
| ID | Name |
+----------------------------------+------------------------+
. . . .
| cdb2bf1c7cba4c188792481e9bfdf449 | can_publicize_packages |
+----------------------------------+------------------------+
4) OK - Create new user inside 'services' project:
# openstack user create '_test_user' --password 'password' --project 'services'
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| email | None |
| enabled | True |
| id | e9783de276d64c0189df2c5a5ff79a63 |
| name | _test_user |
| project_id | fa38dcb711a24e979f1cd88486a9965e |
| username | _test_user |
+------------+----------------------------------+
5) OK - Assign new role to the new user:
# openstack role add 'can_publicize_packages' --user '_test_user' --project 'services'
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cdb2bf1c7cba4c188792481e9bfdf449 |
| name | can_publicize_packages |
+-------+----------------------------------+
6) NOK - Check new role for :
# openstack user role list '_test_user'
{empty output}
\\ I suppose it is expected to have some output here.
7) OK - Try to assign again the same role to the same user:
# openstack role add 'can_publicize_packages' --user '_test_user' --project 'services'
Conflict occurred attempting to store role grant -
User e9783de276d64c0189df2c5a5ff79a63 already has role
cdb2bf1c7cba4c188792481e9bfdf449
in tenant fa38dcb711a24e979f1cd88486a9965e
(HTTP 409) (Request-ID: req-90460dca-6001-4c1d-90de-212aec294942)
\\ So, seems, that role was actually assigned to the user.
5) OK - On all two controllers add new role to /etc/murano/policy.json:
# cp /etc/murano/policy.json /etc/murano/policy.json_orig
# vim /etc/murano/policy.json
from:
"publicize_package": "rule:admin_api",
to:
"publicize_package": "rule:admin_api or role:can_publicize_packages",
### The same with:
"publicize_package": ["rule:admin_api", "role:can_publicize_packages"],
6) OK - On all two controllers restart some Murano services:
# service murano-api restart ; service murano-engine restart
murano-api stop/waiting
murano-api start/running, process 5597
murano-engine stop/waiting
murano-engine start/running, process 5627
6) OK - Change env to '_test_user' and 'services' project:
# export OS_TENANT_NAME='services' ; export OS_PROJECT_NAME='services' ; export OS_USERNAME='_test_user' ; export OS_PASSWORD='password'
7) OK - As a '_test_user' import Murano pkg:
# murano --murano-repo-url=http://storage.apps.openstack.org package-import 'io.murano.apps.docker.Interfaces'
Package file 'io.murano.apps.docker.Interfaces' does not exist, attempting to download
Importing package io.murano.apps.docker.Interfaces
+----------------------------------+--------------------------+----------------------------------+---------------+-----------+
| ID | Name | FQN | Author | Is Public |
+----------------------------------+--------------------------+----------------------------------+---------------+-----------+
| 90fee6d0e41b441f9e8c4b29d89497aa | Core library | io.murano | murano.io | True |
| 6c36dc3f149744ca8b18c5e1527b74ef | Docker Interface Library | io.murano.apps.docker.Interfaces | Mirantis, Inc | |
+----------------------------------+--------------------------+----------------------------------+---------------+-----------+
8) NOK - As a '_test_user' update imported pkg with Public=TRUE:
# murano package-update '6c36dc3f149744ca8b18c5e1527b74ef' --is-public true
403 Forbidden: Access was denied to this resource. (HTTP 403)
\\ After step (5) it is expected for a new user to have ability to
update imported packages.
Please find logs for the last step (8) attached.
Thanks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/murano/+bug/1552291/+subscriptions
More information about the Openstack-security
mailing list