networking-cisco

CLI throws "admin privileges" error when update router in tenant project

Bug #1502275 reported by Danny Choi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
networking-cisco
New
Undecided
Unassigned

Bug Description

I'm using Sridar's Kilo based private branch for ASR1K plugin, asr1k_kilo_stable_wip.

Within the "tenant" project, when perform a "router-update" operation, CLI throws an error.
Despite the error, the operation is successfully.

[root@G10-QA4 neutron(keystone_admin)]# neutron router-update --cisco_ha:enabled=true tenant1-router1
User does not have admin privileges: Cannot create resource for another tenant <<<<< ERROR
[root@G10-QA4 neutron(keystone_admin)]#
[root@G10-QA4 neutron(keystone_admin)]#
[root@G10-QA4 neutron(keystone_admin)]# neutron router-show tenant1-router1
+-------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| admin_state_up | True |
| cisco_ha:details | {"redundancy_routers": [{"priority": 20, "state": "STANDBY", "id": "ff64fddd-252b-4fcc-ab7f-d445fd07cc9f"}], "probe_connectivity": false, "priority": 10, "state": "ACTIVE", "redundancy_level": 1, "type": "HSRP"} |
| cisco_ha:enabled | True <<<<< OPERATION IS SUCCESSFUL |
| external_gateway_info | {"network_id": "b3e2514d-4342-47ec-a91b-c1e7e0c96b05", "external_fixed_ips": [{"subnet_id": "454b1af9-0775-40bb-865e-560097d71dc7", "ip_address": "169.254.128.27"}]} |
| id | b35e68c2-0c4e-4ae8-84d9-86c893491235 |
| name | tenant1-router1 |
| routerhost:hosting_device | 00000000-0000-0000-0000-000000000001 |
| routerrole:role | |
| routertype-aware-scheduler:auto_schedule | True |
| routertype-aware-scheduler:share_hosting_device | True |
| routertype:id | 00000000-0000-0000-0000-000000000003 |
| routes | |
| status | ACTIVE |
| tenant_id | 5c38527531e3475e94b28212a39c00b4 |
+-------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

=================================================

Snippet with debug enabled:

[root@G10-QA4 neutron(keystone_admin)]# neutron --debug router-update --cisco_ha:enabled=false tenant1-router1
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://172.29.85.228:5000/v2.0 -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
DEBUG: keystoneclient.session RESP: [200] content-length: 339 vary: X-Auth-Token server: Apache/2.4.6 (Red Hat Enterprise Linux) connection: close date: Fri, 02 Oct 2015 18:19:27 GMT content-type: application/json x-openstack-request-id: req-4c601be9-9956-4b71-84b1-5e9648fdc01f
RESP BODY: {"version": {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}], "id": "v2.0", "links": [{"href": "http://172.29.85.228:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/", "type": "text/html", "rel": "describedby"}]}}

DEBUG: neutronclient.neutron.v2_0.router.UpdateRouter run(Namespace(id=u'tenant1-router1', request_format='json'))
DEBUG: keystoneclient.auth.identity.v2 Making authentication request to http://172.29.85.228:5000/v2.0/tokens
DEBUG: keystoneclient.session REQ: curl -g -i -X GET http://172.29.85.228:9696/v2.0/routers.json?fields=id&name=tenant1-router1 -H "User-Agent: python-neutronclient" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}58fa3d82ce0a0b50d16ee1e910dc4fcfb6cd0f8f"
DEBUG: keystoneclient.session RESP: [200] date: Fri, 02 Oct 2015 18:19:27 GMT connection: keep-alive content-type: application/json; charset=UTF-8 content-length: 61 x-openstack-request-id: req-0eb8d9ac-1ddf-47fa-bead-12874bc4e412
RESP BODY: {"routers": [{"id": "b35e68c2-0c4e-4ae8-84d9-86c893491235"}]}

DEBUG: keystoneclient.session REQ: curl -g -i -X PUT http://172.29.85.228:9696/v2.0/routers/b35e68c2-0c4e-4ae8-84d9-86c893491235.json -H "User-Agent: python-neutronclient" -H "Content-Type: application/json" -H "Accept: application/json" -H "X-Auth-Token: {SHA1}58fa3d82ce0a0b50d16ee1e910dc4fcfb6cd0f8f" -d '{"router": {"cisco_ha:enabled": "false"}}'
DEBUG: keystoneclient.session RESP:
DEBUG: neutronclient.v2_0.client Error message: {"NeutronError": {"message": "User does not have admin privileges: Cannot create resource for another tenant", "type": "AdminRequired", "detail": ""}}
ERROR: neutronclient.shell User does not have admin privileges: Cannot create resource for another tenant
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/neutronclient/shell.py", line 766, in run_subcommand
    return run_command(cmd, cmd_parser, sub_argv)
  File "/usr/lib/python2.7/site-packages/neutronclient/shell.py", line 101, in run_command
    return cmd.run(known_args)
  File "/usr/lib/python2.7/site-packages/neutronclient/neutron/v2_0/__init__.py", line 535, in run
    obj_updater(_id, body)
  File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 102, in with_params
    ret = self.function(instance, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 655, in update_router
    return self.put(self.router_path % (router), body=body)
  File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 302, in put
    headers=headers, params=params)
  File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 270, in retry_request
    headers=headers, params=params)
  File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 211, in do_request
    self._handle_fault_response(status_code, replybody)
  File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 185, in _handle_fault_response
    exception_handler_v20(status_code, des_error_body)
  File "/usr/lib/python2.7/site-packages/neutronclient/v2_0/client.py", line 70, in exception_handler_v20
    status_code=status_code)
Forbidden: User does not have admin privileges: Cannot create resource for another tenant <<<<<< ERROR

*************************************************

This seems to related to the ASR1K plugin because the error is NOT seen when the plugin is not installed:

[root@G10-QA4 ~(keystone_admin)]# export OS_USERNAME=tenant1-user
[root@G10-QA4 ~(keystone_admin)]# export OS_TENANT_NAME=tenant1
[root@G10-QA4 ~(keystone_admin)]# export OS_PASSWORD=tenant1-user
[root@G10-QA4 ~(keystone_admin)]# neutron router-create tenant1-router1
Created a new router:
+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| admin_state_up | True |
| external_gateway_info | |
| id | d2cbe379-eaf3-407a-91a9-2a6585ab332d |
| name | tenant1-router1 |
| routes | |
| status | ACTIVE |
| tenant_id | 4d04968def6d4a3e87b5a77cf97ce12c |
+-----------------------+--------------------------------------+
[root@G10-QA4 ~(keystone_admin)]# neutron router-list
+--------------------------------------+-----------------+-----------------------+
| id | name | external_gateway_info |
+--------------------------------------+-----------------+-----------------------+
| d2cbe379-eaf3-407a-91a9-2a6585ab332d | tenant1-router1 | null |
+--------------------------------------+-----------------+-----------------------+
[root@G10-QA4 ~(keystone_admin)]# neutron router-gateway-set tenant1-router1 ext-net
Set gateway for router tenant1-router1

                   <<<<<NO ERROR

[root@G10-QA4 ~(keystone_admin)]# neutron router-list
+--------------------------------------+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | name | external_gateway_info |
+--------------------------------------+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| d2cbe379-eaf3-407a-91a9-2a6585ab332d | tenant1-router1 | {"network_id": "6cf5febe-154b-4a03-aac6-ccdd43334c63", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "8cf5d59c-ce84-41e3-b229-88590034327d", "ip_address": "172.29.85.231"}]} |
+--------------------------------------+-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@G10-QA4 ~(keystone_admin)]#
[root@G10-QA4 ~(keystone_admin)]#
[root@G10-QA4 ~(keystone_admin)]#
[root@G10-QA4 ~(keystone_admin)]#
[root@G10-QA4 ~(keystone_admin)]# nova-manage version
2015.1.0-18.el7ost
[root@G10-QA4 ~(keystone_admin)]#

Tags: asr1k cisco
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.