python-designateclient

Documentation doesn't specify that admin credentials are needed to zone abandon

Bug #1627945 reported by Ashish Kumar Gupta
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-designateclient
Fix Released
Low
Ashish Kumar Gupta

Bug Description

Using credential of tenant with member role.
Create a zone.
stack@user1:~$ openstack zone create u11.com. --email <email address hidden>
+----------------+--------------------------------------+
| Field | Value |
+----------------+--------------------------------------+
| action | CREATE |
| attributes | {} |
| created_at | 2016-09-27T06:41:39.000000 |
| description | None |
| email | <email address hidden> |
| id | f1025bba-ebab-48e6-971a-6c451a8888cf |
| masters | |
| name | u11.com. |
| pool_id | 794ccc2c-d751-44fe-b57f-8894c9f5c842 |
| project_id | 67850ec5eba444ec87e3e2ef2f8be376 |
| serial | 1474958499 |
| status | PENDING |
| transferred_at | None |
| ttl | 3600 |
| type | PRIMARY |
| updated_at | None |
| version | 1 |
+----------------+--------------------------------------+
stack@user1:~$ openstack zone list
+--------------------------------------+----------+---------+------------+--------+--------+
| id | name | type | serial | status | action |
+--------------------------------------+----------+---------+------------+--------+--------+
| f1025bba-ebab-48e6-971a-6c451a8888cf | u11.com. | PRIMARY | 1474958499 | ACTIVE | NONE |
+--------------------------------------+----------+---------+------------+--------+--------+

 openstack zone abandon f1025bba-ebab-48e6-971a-6c451a8888cf
forbidden

REQ: curl -g -i --cacert "/etc/ssl/certs/ca-certificates.crt" -X POST https://172.168.1.5:9001/v2/zones/f1025bba-ebab-48e6-971a-6c451a8888cf/tasks/abandon -H "User-Agent: python-designateclient-2.1.1" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}03b9fa30b5996d7f3a513856e684b88d3b84856f"
"POST /v2/zones/f1025bba-ebab-48e6-971a-6c451a8888cf/tasks/abandon HTTP/1.1" 403 92
RESP: [403] Date: Tue, 27 Sep 2016 06:43:31 GMT Content-Length: 92 Content-Type: application/json X-Openstack-Request-Id: req-54c0c508-9777-4f6d-bae2-3933ab6dba99
RESP BODY: {"code": 403, "type": "forbidden", "request_id": "req-54c0c508-9777-4f6d-bae2-3933ab6dba99"}

forbidden
Traceback (most recent call last):
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/cliff/app.py", line 346, in run_subcommand
    result = cmd.run(parsed_args)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/cliff/command.py", line 55, in run
    self.take_action(parsed_args)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/designateclient/v2/cli/zones.py", line 252, in take_action
    client.zones.abandon(parsed_args.id)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/designateclient/v2/zones.py", line 74, in abandon
    self.client.session.post(url)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/keystoneclient/adapter.py", line 182, in post
    return self.request(url, 'POST', **kwargs)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/designateclient/v2/client.py", line 62, in request
    raise exceptions.Forbidden(**response_payload)
Forbidden: forbidden
clean_up AbandonZoneCommand: forbidden
Traceback (most recent call last):
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/openstackclient/shell.py", line 118, in run
    ret_val = super(OpenStackShell, self).run(argv)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/cliff/app.py", line 226, in run
    result = self.run_subcommand(remainder)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/openstackclient/shell.py", line 153, in run_subcommand
    ret_value = super(OpenStackShell, self).run_subcommand(argv)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/cliff/app.py", line 346, in run_subcommand
    result = cmd.run(parsed_args)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/cliff/command.py", line 55, in run
    self.take_action(parsed_args)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/designateclient/v2/cli/zones.py", line 252, in take_action
    client.zones.abandon(parsed_args.id)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/designateclient/v2/zones.py", line 74, in abandon
    self.client.session.post(url)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/keystoneclient/adapter.py", line 182, in post
    return self.request(url, 'POST', **kwargs)
  File "/opt/stack/venv/openstackclient-20160926T002001Z/lib/python2.7/site-packages/designateclient/v2/client.py", line 62, in request
    raise exceptions.Forbidden(**response_payload)
Forbidden: forbidden

END return value: 1
stack@user1:~$

Expected : Acoording the specification http://docs.openstack.org/developer/python-designateclient/shell-v2.html admin is not must for zone abandon command.

Revision history for this message
Tim Simmons (timsim) wrote :

This is a documentation bug, administrative privilege is required to abandon zones.

Tim Simmons (timsim)
affects: designate → python-designateclient
summary: - Zone abandon is not allowed using non admin users
+ Documentation doesn't specify that admin credentials are needed to zone
+ abandon
Changed in python-designateclient:
status: New → Triaged
importance: Undecided → Low
tags: added: low-hanging-fruit
tags: added: docs
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-designateclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/385742

Changed in python-designateclient:
assignee: nobody → Ashish Kumar Gupta (ashish-kumar-gupta)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-designateclient (master)

Reviewed: https://review.openstack.org/385742
Committed: https://git.openstack.org/cgit/openstack/python-designateclient/commit/?id=64292094d7018e08839e3143b537b789431aa8c8
Submitter: Jenkins
Branch: master

commit 64292094d7018e08839e3143b537b789431aa8c8
Author: ashish-kumar-gupta <email address hidden>
Date: Thu Oct 13 10:39:53 2016 +0530

    Fix for bug 1627945

    Documentation doesn't specify that admin credentials are needed to zone abandon

    Change-Id: I3f3d2ae35824bcffa285878629fd4a841c0cf602
    Closes-Bug: #1627945

Changed in python-designateclient:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-designateclient 2.4.0

This issue was fixed in the openstack/python-designateclient 2.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.