Context checks in the db layer prevent default RBAC from working correctly

Bug #1917504 reported by Goutham Pacha Ravi
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Won't Fix
Goutham Pacha Ravi

Bug Description

In the wallaby release, manila plans to refresh its policy defaults and allow user scopes as defined with the OpenStack Identity service (keystone) [1]

There are existing context checks (example [2]) in the database that prevent a system scoped user from obtaining information that's written into the database. Some of these context checks require an admin context, however, the RBAC via policy overrides may have been set to allow regular users, or users with roles other than admin to access these objects (example [3]). We need to relax these context checks in order to ensure correctness, and perhaps add missing RBAC policies where appropriate.

The exact issue is that the context checkers require that you be allowed by the RBAC policy default "context_is_admin" [4] or that you have a user_id and project_id. System users will not have a project_id, and they may not have the "admin" role either which is the default role for the "context_is_admin" RBAC policy.

Steps to reproduce

These steps use the "availability zones" API as an example - the policy defaults for this API have been adjusted with:

1) Clear any old environment that may conflict.
$ for key in $( set | awk -F= '/^OS_/ {print $1}' ); do unset "${key}" ; done

2) If you don't have a URL without project_id in it, system scoped users can't find the manila service, so set it: (we do this as part of devstack since:
           MANILA_ENDPOINT=$(openstack endpoint list --service manilav2 -f value -c ID)
           HOST_IP=$(grep HOST_IP= ~/devstack/.stackenv | cut -d "=" -f 2)
           openstack endpoint set --url http://$HOST_IP/share/v2 $MANILA_ENDPOINT

3) $ export OS_CLOUD=devstack-system-reader
   $ TOKEN=$(openstack token issue -f value -c id)
   $ MANILA_URL=$(openstack catalog show manilav2 -c endpoints -f json | jq .endpoints[0].url)

        curl -i -X GET $MANILA_URL/availability-zones -H "X-Auth-Token: $TOKEN" -H "X-OpenStack-Manila-API-Version: 2.57"

Expected result
200 OK with AZs as JSON

Actual result
403 Forbidden

1. Devstack, Wallaby/main

Logs & Configs

You could set [oslo_policy]/enforce_scope=True and [oslo_policy]/enforce_new_defaults=True
but these have no effect as far as this failure is concerned.


tags: added: rbac
tags: added: backport-potential
Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

A current workaround for this issue is to adjust/relax the "context_is_admin" in the policy to include users operating with system scope, having a reader role.

Changed in manila:
milestone: none → xena-1
importance: Undecided → Medium
assignee: nobody → Goutham Pacha Ravi (gouthamr)
Changed in manila:
milestone: xena-1 → xena-2
Vida Haririan (vhariria)
Changed in manila:
status: New → Confirmed
Changed in manila:
milestone: xena-2 → xena-3
Changed in manila:
milestone: xena-3 → yoga-1
Changed in manila:
milestone: yoga-1 → yoga-2
Changed in manila:
milestone: yoga-2 → yoga-3
Changed in manila:
milestone: yoga-3 → yoga-rc1
Changed in manila:
milestone: yoga-rc1 → zed-1
Changed in manila:
milestone: zed-1 → zed-2
Changed in manila:
milestone: zed-2 → zed-3
Revision history for this message
Goutham Pacha Ravi (gouthamr) wrote :

Currently there are no plans to graduate support for system scope:

So closing this bug for now

Changed in manila:
milestone: zed-3 → none
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.