Context checks in the db layer prevent default RBAC from working correctly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Shared File Systems Service (Manila) |
Won't Fix
|
Medium
|
Goutham Pacha Ravi |
Bug Description
Description
===========
In the wallaby release, manila plans to refresh its policy defaults and allow user scopes as defined with the OpenStack Identity service (keystone) [1]
There are existing context checks (example [2]) in the database that prevent a system scoped user from obtaining information that's written into the database. Some of these context checks require an admin context, however, the RBAC via policy overrides may have been set to allow regular users, or users with roles other than admin to access these objects (example [3]). We need to relax these context checks in order to ensure correctness, and perhaps add missing RBAC policies where appropriate.
The exact issue is that the context checkers require that you be allowed by the RBAC policy default "context_is_admin" [4] or that you have a user_id and project_id. System users will not have a project_id, and they may not have the "admin" role either which is the default role for the "context_is_admin" RBAC policy.
Steps to reproduce
==================
These steps use the "availability zones" API as an example - the policy defaults for this API have been adjusted with: https:/
1) Clear any old environment that may conflict.
$ for key in $( set | awk -F= '/^OS_/ {print $1}' ); do unset "${key}" ; done
2) If you don't have a URL without project_id in it, system scoped users can't find the manila service, so set it: (we do this as part of devstack since: https:/
3) $ export OS_CLOUD=
$ TOKEN=$(openstack token issue -f value -c id)
$ MANILA_
curl -i -X GET $MANILA_
Expected result
===============
200 OK with AZs as JSON
Actual result
=============
403 Forbidden
Environment
===========
1. Devstack, Wallaby/main
Logs & Configs
==============
You could set [oslo_policy]
but these have no effect as far as this failure is concerned.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
tags: | added: rbac |
tags: | added: backport-potential |
Changed in manila: | |
milestone: | none → xena-1 |
importance: | Undecided → Medium |
assignee: | nobody → Goutham Pacha Ravi (gouthamr) |
Changed in manila: | |
milestone: | xena-1 → xena-2 |
Changed in manila: | |
status: | New → Confirmed |
Changed in manila: | |
milestone: | xena-2 → xena-3 |
Changed in manila: | |
milestone: | xena-3 → yoga-1 |
Changed in manila: | |
milestone: | yoga-1 → yoga-2 |
Changed in manila: | |
milestone: | yoga-2 → yoga-3 |
Changed in manila: | |
milestone: | yoga-3 → yoga-rc1 |
Changed in manila: | |
milestone: | yoga-rc1 → zed-1 |
Changed in manila: | |
milestone: | zed-1 → zed-2 |
Changed in manila: | |
milestone: | zed-2 → zed-3 |
A current workaround for this issue is to adjust/relax the "context_is_admin" in the policy to include users operating with system scope, having a reader role.