OpenStack Compute (nova)

view hypervisor details should be controlled by policy.json

Bug #1447084 reported by Divya K Konoor
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
Divya K Konoor
OpenStack Compute (nova) 12.0.0 "liberty"
Kilo
Fix Released
Undecided
Unassigned
OpenStack Compute (nova) 2015.1.1

Bug Description

When a user with non-admin permissions attempts to view the hypervisor details (/v2/2f8728e1c3214d8bb59903ba654ed6c1/os-hypervisors/1) , we see the following error :

2015-04-19 21:34:22.194 23179 ERROR nova.api.openstack.compute.contrib.hypervisors [req-5caab0db-31aa-4a24-9263-750af6555ef5 605c378ebded02d6a2deebe138c0ef9d6a0ddf39447297105dcc4eb18c7cc062 9b0d73e660af434481a0a9b6d6a3bab7 - - -] User does not have admin privileges
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors Traceback (most recent call last):
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/api/openstack/compute/contrib/hypervisors.py", line 147, in show
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors service = self.host_api.service_get_by_compute_host(context, hyp.host)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/compute/api.py", line 3451, in service_get_by_compute_host
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors return objects.Service.get_by_compute_host(context, host_name)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/objects/base.py", line 163, in wrapper
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors result = fn(cls, context, *args, **kwargs)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/objects/service.py", line 151, in get_by_compute_host
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors db_service = db.service_get_by_compute_host(context, host)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/db/api.py", line 139, in service_get_by_compute_host
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors use_slave=use_slave)
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/db/sqlalchemy/api.py", line 214, in wrapper
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors nova.context.require_admin_context(args[0])
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors File "/usr/lib/python2.7/site-packages/nova/context.py", line 235, in require_admin_context
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors raise exception.AdminRequired()
2015-04-19 21:34:22.194 23179 TRACE nova.api.openstack.compute.contrib.hypervisors AdminRequired: User does not have admin privileges

This is caused because the /usr/lib/python2.7/site-packages/nova/db/sqlalchemy/api layer mandates that only an admin can perform this operation. This should not be the case. Instead the permissions should be controlled as per the rules defined in the nova policy.json. This used to work for non-admins till few days/weeks back

Revision history for this message
Eli Qiao (taget-9) wrote :

hi Divya, I don't think we can fix it in v2 api.
currently , we are working on v2.1 api , this bp, https://github.com/openstack/nova-specs/blob/master/specs/liberty/approved/nova-api-policy.rst
it will remove all sqlalchemy api layer permissions back to REST api layer, and user can configure is in policy.json. maybe later in policy.d/00-xxx.json. but that is for L release.

Revision history for this message
jichenjc (jichenjc) wrote :

Because we already have a bp, so it might be closed when the bp is finished and check whether it satisfy user

Changed in nova:
status: New → Confirmed
importance: Undecided → Wishlist
Revision history for this message
Alex Xu (xuhj) wrote :

Which introduced by a extra db call which requirement admin context in this patch https://review.openstack.org/#/c/150568

We can fix it by pass an elevated context down to the db code, then we can keep the hypervisor api behavior as before.

tags: added: kilo-rc-potential
Revision history for this message
Alex Xu (xuhj) wrote :

Correct some words for above.

For kilo rc, we can fix it by pass an elevated context down to the db code, then we can keep the hypervisor api behavior as before.

For master code, it already fixed by https://review.openstack.org/#/c/160089/, but we can't backport it to kilo rc, this touch some base code. So it is too risk for kilo rc.

Changed in nova:
importance: Wishlist → High
Revision history for this message
Alex Xu (xuhj) wrote :

Describe more about the problem:

Before https://review.openstack.org/#/c/150568, user can update the policy rule for hypervisor api to "compute_extension:hypervisors": "", then it make the non-admin user can access the api.

But after that patch, it introduce a db call service_get_by_host_and_topic which required admin context. Then even the policy allow any user access the api, but the db call always stop that.

We should fix the API's behavior as before.

Divya K Konoor (dikonoor)
Changed in nova:
assignee: nobody → Divya K Konoor (dikonoor)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/176651

Changed in nova:
status: Confirmed → In Progress
Revision history for this message
Divya K Konoor (dikonoor) wrote :

As per yesterday IRC conversation at http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2015-04-22.log , it was decided that these changes will go into master and then get backported. The changes would be to send across an elevated context to host_api.service_get_by_compute_host so that it goes through the requires_admin_context check.

Revision history for this message
Divya K Konoor (dikonoor) wrote :

https://review.openstack.org/#/c/176651/

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/178059

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/176651
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=6be11856c6ac1cbd611cea894a0e26165ee5c5a5
Submitter: Jenkins
Branch: master

commit 6be11856c6ac1cbd611cea894a0e26165ee5c5a5
Author: Divya <email address hidden>
Date: Thu Apr 23 09:38:52 2015 +0200

    view hypervisor details rest api should be allowed for non-admins

    The current call to show hypervisor is broken and expects the
    user to have admin privileges always.It does not allow non-
    admin users to view hypervisor details. This should be
    controlled based on the rule defined in the policy.json rather
    than have the permissions mandated programmatically. This bug
    is caused due to regression and was working earlier.So the
    changes proposed here is merely retaining the older behavior.
    To ensure that this works as before, the context passed to the
    db api layer is elevated so that it passes the requires_admin_
    context check that is present in the db layer.

    Change-Id: I50437788aac72608998cf9c24d4d562b1ff20301
    Closes-Bug: 1447084

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
tags: removed: kilo-rc-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/kilo)

Reviewed: https://review.openstack.org/178059
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=cbf606bdba621bbdf940fac7c8c3fbc40d0f12b8
Submitter: Jenkins
Branch: stable/kilo

commit cbf606bdba621bbdf940fac7c8c3fbc40d0f12b8
Author: Divya <email address hidden>
Date: Thu Apr 23 09:38:52 2015 +0200

    view hypervisor details rest api should be allowed for non-admins

    The current call to show hypervisor is broken and expects the
    user to have admin privileges always.It does not allow non-
    admin users to view hypervisor details. This should be
    controlled based on the rule defined in the policy.json rather
    than have the permissions mandated programmatically. This bug
    is caused due to regression and was working earlier.So the
    changes proposed here is merely retaining the older behavior.
    To ensure that this works as before, the context passed to the
    db api layer is elevated so that it passes the requires_admin_
    context check that is present in the db layer.

    Change-Id: I50437788aac72608998cf9c24d4d562b1ff20301
    Closes-Bug: 1447084
    (cherry picked from commit 6be11856c6ac1cbd611cea894a0e26165ee5c5a5)

tags: added: in-stable-kilo
Thierry Carrez (ttx)
Changed in nova:
milestone: none → liberty-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: liberty-1 → 12.0.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.