| Summary: | RFE: Need to further restrict "get_images" access only for project which own on glance. | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Masaki Furuta ( RH ) <mfuruta> |
| Component: | openstack-glance | Assignee: | Cyril Roelandt <cyril> |
| Status: | CLOSED WONTFIX | QA Contact: | Avi Avraham <aavraham> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.0 (Mitaka) | CC: | cschwede, cyril, egafford, eglynn, fpercoco, ikedajnk, kawamurayus, pgrist, scohen, srevivo, ssigwald, tshefi |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | --- | Flags: | tshefi:
automate_bug-
|
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-08-27 13:24:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Attachments: | |||
|
Description
Masaki Furuta ( RH )
2016-12-13 15:31:13 UTC
With "get_images": "project_id:admin": $ openstack --verbose image list START with options: [u'--verbose', u'image', u'list'] command: image list -> openstackclient.image.v2.image.ListImage Using auth plugin: password Forbidden (HTTP 403) (Request-ID: req-062cfae9-036b-45fb-8fba-8a7efc456ba3) END return value: 1 With "get_images": "project_id:fc7301f899314ee18a4497ecbef7c8c8" (the ID of my admin tenant): $ openstack --verbose image list START with options: [u'--verbose', u'image', u'list'] command: image list -> openstackclient.image.v2.image.ListImage Using auth plugin: password +--------------------------------------+---------------------------------+--------+ | ID | Name | Status | +--------------------------------------+---------------------------------+--------+ | 6bd65ea5-2bae-4a89-8b6b-2cbae5fdd03f | test-img-01 | queued | | 43b7e65f-f57f-4a46-9714-734beccc7737 | cirros-0.3.4-x86_64-uec | active | | db3347d4-aed7-4c49-9c96-8c17288563d9 | cirros-0.3.4-x86_64-uec-ramdisk | active | | f7b46601-82aa-4e15-99b7-1d4672037a7a | cirros-0.3.4-x86_64-uec-kernel | active | +--------------------------------------+---------------------------------+--------+ END return value: 0 This seems kind of related to https://bugzilla.redhat.com/show_bug.cgi?id=1401135 . I'm not exactly sure how this policy should be configured, I'll try to look deeper into that. Created attachment 1231409 [details]
Result from steps customer suggested with 'project_id:admin'
Created attachment 1231410 [details]
Result from steps customer suggested with 'project_id:<ADMIN UUID>'
(In reply to Cyril Roelandt from comment #1) Hi Cyril Roelandt, Thanks for double checking , I'm also attaching result on OSP9 with customer suggested steps on the customer portal case 01744694. So, just to be clear, you want people to be *unable* to list images, unless one (or more) of the following conditions is true: - the tenant is the "admin" tenant; - they are part of the image membership; - the image is part of their tenant. Am I right? I think your rule should start with: "get_images": "project_id:<ID of admin>". Not sure exactly how to get the rest of the rules working, I'll try and find someone who knows oslo.policy well and ask them to take a look. (In reply to Cyril Roelandt from comment #5) > So, just to be clear, you want people to be *unable* to list images, unless > one (or more) of the following conditions is true: > > - the tenant is the "admin" tenant; Yes. Detailed info: - As I'm attaching 2 FAILURE result, though Image was owned by admin , but getting 403 when checked with ADMIN TENANT (also 403 with ADMIN USER in ANOTHER TENANT too) - Here's excerpt from attached log, see below; 1. project_id:admin_id_osp9.txt (FAILURE case with "get_images": "project_id:bc4ac92db130438db61a150c2b435898") 2 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# cat /root/keystonerc_admin-v3↲ 3 unset OS_SERVICE_TOKEN↲ 4 # export OS_USERNAME=admin↲ 5 # export OS_PASSWORD=admin↲ 6 # export OS_AUTH_URL=http://192.168.123.109:5000/v2.0↲ 7 # export PS1='[\u@\h \W(keystone-admin)]\$ '↲ 8 #-↲ 9 # export OS_TENANT_NAME=admin↲ 10 # export OS_REGION_NAME=RegionOne↲ 11 ↲ 12 export OS_PROJECT_DOMAIN_ID=default↲ 13 export OS_USER_DOMAIN_ID=default↲ 14 export OS_PROJECT_NAME=admin↲ 15 export OS_TENANT_NAME=admin↲ 16 export OS_USERNAME=admin↲ 17 export OS_PASSWORD=password↲ 18 export OS_AUTH_URL=http://192.168.123.109:5000/v3↲ 19 export OS_IDENTITY_API_VERSION=3↲ 20 export OS_AUTH_VERSION=3↲ 21 export PS1='[\u@\h \W(keystone_admin-v3)]\$ '↲ 22 ↲ 23 ↲ 24 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# . /root/keystonerc_admin-v3↲ 28 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# grep get_images /etc/glance/policy.json↲ 29 "get_images": "project_id:bc4ac92db130438db61a150c2b435898",↲ 34 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack project list↲ 35 +----------------------------------+----------+↲ 36 | ID | Name |↲ 37 +----------------------------------+----------+↲ 38 | 5debdcb776c740b58afa56293e8499e8 | services |↲ 39 | 64b0ee99d0cc4c979f578325c9f93cba | project1 |↲ 40 | bc4ac92db130438db61a150c2b435898 | admin |↲ 41 +----------------------------------+----------+↲ 73 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# glance image-create --name=cirros-0.3.4-x86_64-disk.img --visibility=private --container-format=bare --disk-format=qcow 2↲ 74 +------------------+--------------------------------------+↲ 75 | Property | Value |↲ 76 +------------------+--------------------------------------+↲ 77 | checksum | ee1eca47dc88f4879d8a229cc70a07c6 |↲ 78 | container_format | bare |↲ 79 | created_at | 2016-12-14T03:26:33Z |↲ 80 | disk_format | qcow2 |↲ 81 | id | 56e45762-0cc3-4449-8682-7d3e2353d652 |↲ 82 | min_disk | 0 |↲ 83 | min_ram | 0 |↲ 84 | name | cirros-0.3.4-x86_64-disk.img |↲ 85 | owner | bc4ac92db130438db61a150c2b435898 |↲ 86 | protected | False |↲ 87 | size | 13287936 |↲ 88 | status | active |↲ 89 | tags | [] |↲ 90 | updated_at | 2016-12-14T03:26:33Z |↲ 91 | virtual_size | None |↲ 92 | visibility | private |↲ 93 +------------------+--------------------------------------+↲ 115 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id bc4ac92db130438db61a150c2b435898 image list --property owner=bc4ac92db130438db61a150c2b435898 ↲ 116 Forbidden (HTTP 403) (Request-ID: req-3dfaa2b4-dd1c-47bd-818c-11782f992f92)↲ 172 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id bc4ac92db130438db61a150c2b435898 image list --shared↲ 173 Forbidden (HTTP 403) (Request-ID: req-edb58504-4a36-4945-9c35-f80093d15771)↲ 2. project_id:admin_osp9.txt (FAILURE case with "get_images": "project_id:admin") 2 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# cat /root/keystonerc_admin-v3↲ 3 unset OS_SERVICE_TOKEN↲ 4 # export OS_USERNAME=admin↲ 5 # export OS_PASSWORD=admin↲ 6 # export OS_AUTH_URL=http://192.168.123.109:5000/v2.0↲ 7 # export PS1='[\u@\h \W(keystone-admin)]\$ '↲ 8 #-↲ 9 # export OS_TENANT_NAME=admin↲ 10 # export OS_REGION_NAME=RegionOne↲ 11 ↲ 12 export OS_PROJECT_DOMAIN_ID=default↲ 13 export OS_USER_DOMAIN_ID=default↲ 14 export OS_PROJECT_NAME=admin↲ 15 export OS_TENANT_NAME=admin↲ 16 export OS_USERNAME=admin↲ 17 export OS_PASSWORD=password↲ 18 export OS_AUTH_URL=http://192.168.123.109:5000/v3↲ 19 export OS_IDENTITY_API_VERSION=3↲ 20 export OS_AUTH_VERSION=3↲ 21 export PS1='[\u@\h \W(keystone_admin-v3)]\$ '↲ 22 ↲ 23 ↲ 24 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# . /root/keystonerc_admin-v3↲ 28 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# grep get_images /etc/glance/policy.json↲ 29 "get_images": "project_id:admin",↲ 34 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack project list↲ 35 +----------------------------------+----------+↲ 36 | ID | Name |↲ 37 +----------------------------------+----------+↲ 38 | 5debdcb776c740b58afa56293e8499e8 | services |↲ 39 | 64b0ee99d0cc4c979f578325c9f93cba | project1 |↲ 40 | bc4ac92db130438db61a150c2b435898 | admin |↲ 41 +----------------------------------+----------+↲ 73 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# glance image-create --name=cirros-0.3.4-x86_64-disk.img --visibility=private --container-format=bare --disk-format=qcow 2↲ 74 +------------------+--------------------------------------+↲ 75 | Property | Value |↲ 76 +------------------+--------------------------------------+↲ 77 | checksum | ee1eca47dc88f4879d8a229cc70a07c6 |↲ 78 | container_format | bare |↲ 79 | created_at | 2016-12-14T03:27:32Z |↲ 80 | disk_format | qcow2 |↲ 81 | id | 1c53080a-eadd-4aad-ba98-19ddf6bac5ff |↲ 82 | min_disk | 0 |↲ 83 | min_ram | 0 |↲ 84 | name | cirros-0.3.4-x86_64-disk.img |↲ 85 | owner | bc4ac92db130438db61a150c2b435898 |↲ 86 | protected | False |↲ 87 | size | 13287936 |↲ 88 | status | active |↲ 89 | tags | [] |↲ 90 | updated_at | 2016-12-14T03:27:32Z |↲ 91 | virtual_size | None |↲ 92 | visibility | private |↲ 93 +------------------+--------------------------------------+↲ 115 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id bc4ac92db130438db61a150c2b435898 image list --property owner=bc4ac92db130438db61a150c2b435898 ↲ 116 Forbidden (HTTP 403) (Request-ID: req-5ae66b22-fa40-402b-b5f4-a69586354ec8)↲ 172 [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id bc4ac92db130438db61a150c2b435898 image list --shared↲ 173 Forbidden (HTTP 403) (Request-ID: req-f9932c08-2ae2-4bec-bc10-151f04ebb0f0)↲ > - they are part of the image membership; No. Detailed info: - Both FAILURE case, when we set "project_id:bc4ac92db130438db61a150c2b435898" (ADMIN ID) or project_id:admin" , "project_id:%(project_id)s" , "project_id:%(target.project.id)s" , we cannot get storage ID due to getting 403, thus we cannot set specify image ID to modify membership for the image. - Therefore there's no modification to membership list during testing. - Let's revisit customer's request and current findings here: ~~~ Description of problem: - The customer want to restrict image listing with 'glance image-list' / 'openstack image list' by admin tenant only, when other tenant aren't added as member to the image, even though user has admin permission. - To achieve it, when setting to "project_id:%(target.project.id)s" / "project_id:%(project_id)s" to "get_images" in /etc/glance/policy.json, no one can access image list by 'glance image-list' / 'openstack image list'. - It seems /etc/glance/policy.json cannot use to restrict Admin user access to image listing. - Is that expected or Bug ? According to /usr/lib/python2.7/site-packages/oslo_policy/policy.py and http://docs.openstack.org/developer/glance/policies.html, I should restrict access to /v2/images with policy.json. - I've also tried to restrict with "project_id:%(target.project.id)s" additionally. but it didn't work too. ~~~ - So basically, we can change membership when specifying image ID directory (how ever we can't know it from 'image list with "get_images", but if we know it). - But regardless of adding membership to image or not, 'image list' is controlled via "get_images" , so we need to pursue the cause why "get_images" on glance can not handle following statement in policy.json; "project_id:bc4ac92db130438db61a150c2b435898" (ADMIN ID) "project_id:admin" "project_id:%(project_id)s" "project_id:%(target.project.id)s" Here's example: By default ("get_images" ""): 1. ADMIN TENANT create image 2. check image is shared by openstack --os-project-id <PROJECT_ID> --os-username <USER> --os-password <PASS> image list --shared 2-1. ADMIN TENANT can NOT find shared image (no output, EXPECTED); 2-2. ADMIN USER in project1 can NOT find shared image (no output, EXPECTED); 2-3. _MEMBER_ USER in project1 can NOT find shared image (no output, EXPECTED); 3. add membership for project1 to admin-created image specified by openstack --os-project-id <ADMIN_PROJECT_ID> image list --property owner=<ADMIN_PROJECT_ID> 4. check image is shared by openstack --os-project-id <PROJECT_ID> --os-username <USER> --os-password <PASS> image list --shared 4-1. ADMIN TENANT CAN refer image (EXPECTED ??) 4-2. ADMIN USER in project1 CAN refer image (EXPECTED 4-3. _MEMBER_ USER in project1 CAN refer image (EXPECTED) 5. remove membership for project1 to admin-created image 6. re-check image is shared by openstack --os-project-id <PROJECT_ID> --os-username <USER> --os-password <PASS> image list --shared 6-1. ADMIN TENANT CAN refer image (THIS BEHAVOUR LOOKS LITTLE BIT ODD SINCE member was removed and this was not seen before adding member then appeared after add -> remove.., BUT STILL OKAY since ADMIN TENANT is owner..??); 6-2. ADMIN USER in project1 CAN refer image (THIS BEHAVOUR LOOKS STRANGE, SINCE memberlist had been removed for tenants who doesn't own this image..); 6-3. _MEMBER_ USER in project1 can NOT find image (THIS WAS EXPECTED, IMO); But, With "project_id:bc4ac92db130438db61a150c2b435898" (ADMIN ID) or project_id:admin" , "project_id:%(project_id)s" , "project_id:%(target.project.id)s" 1. ADMIN TENANT create image 2. check image is shared by openstack --os-project-id <PROJECT_ID> --os-username <USER> --os-password <PASS> image list --shared 2-1. ADMIN TENANT can NOT refer shared image (403, BUG?); 2-2. ADMIN USER in project1 can NOT refer shared image (403, BUG?); 2-3. _MEMBER_ USER in project1 can NOT refer shared image (403, BUG?); 3. add membership for project1 to admin-created image specified by openstack --os-project-id <ADMIN_PROJECT_ID> image list --property owner=<ADMIN_PROJECT_ID> 3-1. all user/tenants (ADMIN TENANT/ ADMIN USER/ _MEMBER_ USER in project1) can not refer list (403) and cannot modify membership. 3-2. When add/show/remove member ship specifying image ID shown on created at step 1, can modify membership successfully. 4. check image is shared by openstack --os-project-id <PROJECT_ID> --os-username <USER> --os-password <PASS> image list --shared 4-1. ADMIN TENANT CAN refer image (EXPECTED ??) 4-2. ADMIN USER in project1 CAN refer image (EXPECTED 4-3. _MEMBER_ USER in project1 CAN refer image (EXPECTED) 5. remove membership for project1 to admin-created image 5-1. all user/tenants (ADMIN TENANT/ ADMIN USER/ _MEMBER_ USER in project1) can not refer list (403) and cannot modify membership. 5-2. When add/show/remove member ship specifying image ID shown on created at step 1, can modify membership successfully. 6. re-check image is shared by openstack --os-project-id <PROJECT_ID> --os-username <USER> --os-password <PASS> image list --shared 6-1. ADMIN TENANT CAN refer image (THIS BEHAVOUR LOOKS LITTLE BIT ODD SINCE member was removed and this was not seen before adding member then appeared after add -> remove.., BUT STILL OKAY since ADMIN TENANT is owner..??); 6-2. ADMIN USER in project1 CAN refer image (THIS BEHAVOUR LOOKS STRANGE, SINCE memberlist had been removed for tenants who doesn't own this image..); 6-3. _MEMBER_ USER in project1 can NOT find image (THIS WAS EXPECTED, IMO); Also, here's SUCCESS result with setting "" to "get_images" (default). In this testing, membership had been tried to be added once to another tenant (project1) , then tried to be removed if membership mechanism works properly. This basically works by default (setting "" to "get_images") in policy.json See below; [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# cat /root/keystonerc_admin-v3 unset OS_SERVICE_TOKEN # export OS_USERNAME=admin # export OS_PASSWORD=admin # export OS_AUTH_URL=http://192.168.123.109:5000/v2.0 # export PS1='[\u@\h \W(keystone-admin)]\$ ' # # export OS_TENANT_NAME=admin # export OS_REGION_NAME=RegionOne export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=password export OS_AUTH_URL=http://192.168.123.109:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_AUTH_VERSION=3 export PS1='[\u@\h \W(keystone_admin-v3)]\$ ' [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# . /root/keystonerc_admin-v3 ### check policy.json [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# grep get_images /etc/glance/policy.json "get_images": "", ### show projectid and admin role [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack project list +----------------------------------+----------+ | ID | Name | +----------------------------------+----------+ | 5debdcb776c740b58afa56293e8499e8 | services | | 64b0ee99d0cc4c979f578325c9f93cba | project1 | | bc4ac92db130438db61a150c2b435898 | admin | +----------------------------------+----------+ [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack role list --project project1 --user admin +----------------------------------+-------+----------+-------+ | ID | Name | Project | User | +----------------------------------+-------+----------+-------+ | 2e8397bdb0f14c5cbeca79b6583f4822 | admin | project1 | admin | +----------------------------------+-------+----------+-------+ [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack role list --project project1 --user project1-user +----------------------------------+----------+----------+---------------+ | ID | Name | Project | User | +----------------------------------+----------+----------+---------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | project1 | project1-user | +----------------------------------+----------+----------+---------------+ [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack role list --project project1 --user project1-admin +----------------------------------+-------+----------+----------------+ | ID | Name | Project | User | +----------------------------------+-------+----------+----------------+ | 2e8397bdb0f14c5cbeca79b6583f4822 | admin | project1 | project1-admin | +----------------------------------+-------+----------+----------------+ ### upload cirros-0.3.4-x86_64-disk.img [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# glance image-list +----+------+ | ID | Name | +----+------+ +----+------+ [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack image list [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# glance image-create --name=cirros-0.3.4-x86_64-disk.img --visibility=private --container-format=bare --disk-format=qcow2 +------------------+--------------------------------------+ | Property | Value | +------------------+--------------------------------------+ | checksum | ee1eca47dc88f4879d8a229cc70a07c6 | | container_format | bare | | created_at | 2016-12-15T05:17:01Z | | disk_format | qcow2 | | id | 1ea17728-5ba0-4044-b0e0-32215e8a38a6 | | min_disk | 0 | | min_ram | 0 | | name | cirros-0.3.4-x86_64-disk.img | | owner | bc4ac92db130438db61a150c2b435898 | | protected | False | | size | 13287936 | | status | active | | tags | [] | | updated_at | 2016-12-15T05:17:02Z | | virtual_size | None | | visibility | private | +------------------+--------------------------------------+ ### check admin id [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id bc4ac92db130438db61a150c2b435898 project show admin -c id +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | bc4ac92db130438db61a150c2b435898 | +-------+----------------------------------+ ### check image id owned by admin and project1 project [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id bc4ac92db130438db61a150c2b435898 image list --property owner=bc4ac92db130438db61a150c2b435898 +--------------------------------------+------------------------------+--------+ | ID | Name | Status | +--------------------------------------+------------------------------+--------+ | 1ea17728-5ba0-4044-b0e0-32215e8a38a6 | cirros-0.3.4-x86_64-disk.img | active | +--------------------------------------+------------------------------+--------+ ### check if image is shared with admin project , project1 project (admin), project1 project (_member_) ADMIN TENANT can NOT find shared image (EXPECTED); [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id bc4ac92db130438db61a150c2b435898 image list --shared ADMIN USER can NOT find shared image (EXPECTED); [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id 64b0ee99d0cc4c979f578325c9f93cba --os-username project1-admin --os-password admin image list --shared _MEMBER_ USER can NOT find shared image (EXPECTED); [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id 64b0ee99d0cc4c979f578325c9f93cba --os-username project1-user --os-password user image list --shared ### add image to project1 project once [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack image add project 1ea17728-5ba0-4044-b0e0-32215e8a38a6 64b0ee99d0cc4c979f578325c9f93cba +------------+--------------------------------------+ | Field | Value | +------------+--------------------------------------+ | created_at | 2016-12-15T05:17:14Z | | image_id | 1ea17728-5ba0-4044-b0e0-32215e8a38a6 | | member_id | 64b0ee99d0cc4c979f578325c9f93cba | | schema | /v2/schemas/member | | status | pending | | updated_at | 2016-12-15T05:17:14Z | +------------+--------------------------------------+ ### check member on shared image [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# glance member-list --image-id 1ea17728-5ba0-4044-b0e0-32215e8a38a6 +--------------------------------------+----------------------------------+---------+ | Image ID | Member ID | Status | +--------------------------------------+----------------------------------+---------+ | 1ea17728-5ba0-4044-b0e0-32215e8a38a6 | 64b0ee99d0cc4c979f578325c9f93cba | pending | +--------------------------------------+----------------------------------+---------+ ### set member from pending to accepted [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# glance member-update 1ea17728-5ba0-4044-b0e0-32215e8a38a6 64b0ee99d0cc4c979f578325c9f93cba accepted +--------------------------------------+----------------------------------+----------+ | Image ID | Member ID | Status | +--------------------------------------+----------------------------------+----------+ | 1ea17728-5ba0-4044-b0e0-32215e8a38a6 | 64b0ee99d0cc4c979f578325c9f93cba | accepted | +--------------------------------------+----------------------------------+----------+ ### check if image is shared with project1 project [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id bc4ac92db130438db61a150c2b435898 image list --shared +--------------------------------------+------------------------------+--------+ | ID | Name | Status | +--------------------------------------+------------------------------+--------+ | 1ea17728-5ba0-4044-b0e0-32215e8a38a6 | cirros-0.3.4-x86_64-disk.img | active | +--------------------------------------+------------------------------+--------+ [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id 64b0ee99d0cc4c979f578325c9f93cba --os-username project1-admin --os-password admin image list --s ared +--------------------------------------+------------------------------+--------+ | ID | Name | Status | +--------------------------------------+------------------------------+--------+ | 0a387dea-79d7-4a87-8698-74148e4d8cf6 | cirros-0.3.4-x86_64-disk.img | active | +--------------------------------------+------------------------------+--------+ [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id 64b0ee99d0cc4c979f578325c9f93cba --os-username project1-user --os-password user image list --shared +--------------------------------------+------------------------------+--------+ | ID | Name | Status | +--------------------------------------+------------------------------+--------+ | 1ea17728-5ba0-4044-b0e0-32215e8a38a6 | cirros-0.3.4-x86_64-disk.img | active | +--------------------------------------+------------------------------+--------+ ### remove project1 project from member [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# glance member-delete 1ea17728-5ba0-4044-b0e0-32215e8a38a6 64b0ee99d0cc4c979f578325c9f93cba ### check member [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# glance member-list --image-id 1ea17728-5ba0-4044-b0e0-32215e8a38a6 +----------+-----------+--------+ | Image ID | Member ID | Status | +----------+-----------+--------+ +----------+-----------+--------+ ### check if image is shared with admin project , project1 project (admin), project1 project (_member_) ADMIN TENANT can refer image (THIS BEHAVOUR LOOKS LITTLE BIT ODD SINCE member was removed and this was not seen before adding member then appeared after add -> remove.., BUT STILL OKAY since ADMIN TENANT is owner..??); [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id bc4ac92db130438db61a150c2b435898 image list --shared +--------------------------------------+------------------------------+--------+ | ID | Name | Status | +--------------------------------------+------------------------------+--------+ | 1ea17728-5ba0-4044-b0e0-32215e8a38a6 | cirros-0.3.4-x86_64-disk.img | active | +--------------------------------------+------------------------------+--------+ ADMIN USER can refer image (THIS BEHAVOUR LOOKS STRANGE, SINCE memberlist had been removed for tenants who doesn't own this image..); [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id 64b0ee99d0cc4c979f578325c9f93cba --os-username project1-admin --os-password admin image list --shared +--------------------------------------+------------------------------+--------+ | ID | Name | Status | +--------------------------------------+------------------------------+--------+ | 1ea17728-5ba0-4044-b0e0-32215e8a38a6 | cirros-0.3.4-x86_64-disk.img | active | +--------------------------------------+------------------------------+--------+ _MEMBER_ USER canNOT refer image (THIS WAS EXPECTED, IMO); [root@el72-osp9-all-virbr1 ~(keystone_admin-v3)]# openstack --os-project-id 64b0ee99d0cc4c979f578325c9f93cba --os-username project1-user --os-password user image list --shared > - the image is part of their tenant. Yes. In any testing case, image was created by Admin tenant. > Am I right? > > I think your rule should start with: "get_images": "project_id:<ID of > admin>". Not sure exactly how to get the rest of the rules working, I'll try > and find someone who knows oslo.policy well and ask them to take a look. Yes. I agree. We should start from reason why "get_images" is not controlled by "project_id:<SOMETHING>", where "role:admin" works as expected. (In reply to Masaki Furuta from comment #6) Sorry I'm mistaking result in following section in the previous update: All of 'openstack --os-project-id <PROJECT_ID> --os-username <USER> --os-password <PASS> image list --shared' action got 403, when we're using any of "project_id:bc4ac92db130438db61a150c2b435898" (ADMIN ID) or project_id:admin" , "project_id:%(project_id)s" , "project_id:%(target.project.id)s" for "get_images" in /etc/glance/policy.json. Detailed info: But, With "project_id:bc4ac92db130438db61a150c2b435898" (ADMIN ID) or project_id:admin" , "project_id:%(project_id)s" , "project_id:%(target.project.id)s" 1. ADMIN TENANT create image 2. check image is shared by openstack --os-project-id <PROJECT_ID> --os-username <USER> --os-password <PASS> image list --shared 2-1. ADMIN TENANT can NOT refer shared image (why getting 403 than just missing output, BUG?); <==== 2-2. ADMIN USER in project1 can NOT refer shared image (why getting 403 than just missing output, BUG?); <==== 2-3. _MEMBER_ USER in project1 can NOT refer shared image (why getting 403 than just missing output, BUG?); <==== 3. add membership for project1 to admin-created image specified by openstack --os-project-id <ADMIN_PROJECT_ID> image list --property owner=<ADMIN_PROJECT_ID> 3-1. all user/tenants (ADMIN TENANT/ ADMIN USER/ _MEMBER_ USER in project1) can not refer list (403) and cannot modify membership. 3-2. When add/show/remove member ship specifying image ID shown on created at step 1, can modify membership successfully. 4. check image is shared by openstack --os-project-id <PROJECT_ID> --os-username <USER> --os-password <PASS> image list --shared 4-1. ADMIN TENANT CAN NOT refer shared image (why getting 403 than just missing output, BUG?); <==== 4-2. ADMIN USER in project1 CAN NOT refer shared image (EXPECTED); <==== 4-3. _MEMBER_ USER in project1 CAN NOT refer shared image (EXPECTED); <==== 5. remove membership for project1 to admin-created image 5-1. all user/tenants (ADMIN TENANT/ ADMIN USER/ _MEMBER_ USER in project1) can not refer list (403) and cannot modify membership. 5-2. When add/show/remove member ship specifying image ID shown on created at step 1, can modify membership successfully. 6. re-check image is shared by openstack --os-project-id <PROJECT_ID> --os-username <USER> --os-password <PASS> image list --shared 6-1. ADMIN TENANT CAN NOT refer shared image (why getting 403 than just missing output, BUG?); <==== 6-2. ADMIN USER in project1 CAN NOT refer shared image (EXPECTED); <===== 6-3. _MEMBER_ USER in project1 CANNOT refer shared image (EXPECTED); <===== ---- For TL;DR, I believe this bevaiour should have nothing with membership, but have some with "get_images" permission and supported statements. Because; 1. if we have permission for listing images (get_images), we should just miss output when we are not in the membership for the specific images. 2. basically we got 403, before trying to list them. Sorry for very long input, Thanks, /Masaki Created attachment 1232053 [details]
test_result-per-project_id.tar.gz
Hi, Just wondering. Do you think if worth checking followings? - https://bugs.launchpad.net/neutron/+bug/1602081 - https://git.openstack.org/cgit/openstack/glance/commit/?id=ca501cba92960d0d9cffc346ebd47d39fbce32e8 Current code is: [root@el72-osp9-all-virbr1 ~]# rpm -qf /usr/lib/python2.7/site-packages/glance/api/policy.py python-glance-12.0.0-1.el7ost.noarch /usr/lib/python2.7/site-packages/glance/api/policy.py 40 class Enforcer(policy.Enforcer): 41 """Responsible for loading and enforcing rules""" ... 54 def enforce(self, context, action, target): 55 """Verifies that the action is valid on the target in this context. 56 57 :param context: Glance request context 58 :param action: String representing the action to be checked 59 :param target: Dictionary representing the object of the action. 60 :raises: `glance.common.exception.Forbidden` 61 :returns: A non-False value if access is allowed. 62 """ Created attachment 1232198 [details] osp10_test_result-per-project_id.tar.gz (In reply to Masaki Furuta from comment #9) > Hi, > > Just wondering. > Do you think if worth checking followings? > > - https://bugs.launchpad.net/neutron/+bug/1602081 > - > https://git.openstack.org/cgit/openstack/glance/commit/ > ?id=ca501cba92960d0d9cffc346ebd47d39fbce32e8 > > Current code is: Hi, I've checked this again on osp10 (glance is 13.0.0). [root@el73-osp10-all-virbr1 ~]# rpm -qf /usr/lib/python2.7/site-packages/glance/api/policy.py python-glance-13.0.0-1.el7ost.noarch Attaching result ( osp10_test_result-per-project_id.tar.gz ). [root@el73-osp10-all-virbr1 ~]# tar tvzf osp10_test_result-per-project_id.tar.gz ... -rw-r--r-- root/root 12856 2016-12-15 23:27 osp10_test_result-per-project_id/success/osp10_default_success-result_console.txt -rw-r--r-- root/root 12116 2016-12-15 23:23 osp10_test_result-per-project_id/success/osp10_project_id:95deca80a83c46bda46f01d867aff63c_success-result_console.txt .. -rw-r--r-- root/root 13107 2016-12-15 23:25 osp10_test_result-per-project_id/failed/osp10_project_id:admin_failed-result_console.txt -rw-r--r-- root/root 13116 2016-12-15 23:26 osp10_test_result-per-project_id/failed/osp10_project_id:%(project_id)s_failed-result_console.txt -rw-r--r-- root/root 13045 2016-12-15 23:27 osp10_test_result-per-project_id/failed/osp10_project_id:%(target.project.id)s_failed-result_console.txt I believe I got same result with your result at https://bugzilla.redhat.com/show_bug.cgi?id=1404326#c1. Here's result on OSP10 Beta: /etc/glance/policy.json Success: - Blank (default): "get_images": "" ---> "default": "role:admin" - User's Role : "get_images": "role:admin" - Literal (ID) : "get_images": "project_id:95deca80a83c46bda46f01d867aff63c", Failed: - Literal (Name) : "get_images": "project_id:admin", - User attributes: "get_images": "project_id:%(project_id)s", - User attributes: "get_images": "project_id:%(target.project.id)s", Thanks! (In reply to Masaki Furuta from comment #10) > Success: > - Blank (default): "get_images": "" ---> "default": "role:admin" > - User's Role : "get_images": "role:admin" > - Literal (ID) : "get_images": "project_id:95deca80a83c46bda46f01d867aff63c", That is, only when setting exact admin id "get_images":"project_id:95deca80a83c46bda46f01d867aff63c", I could get expected result. Otherwise, it wont' work even on OSP10 beta. I'm writing to rhos-tech@ in order to find someone who knows about oslo.policy, and will be able to help us with your case. I'm going to be away until the end of the year, so you might not have any news from me until then. I won't forget about this bug though :) Created attachment 1233709 [details]
osp11-devel_result.tar.gz
Hi,
I've also checked this on OSP11 devel with python-passlib-1.7.0-2 (rebuild based on fedora 26 due to keystone 71cde67).
RPM versions
glance
[root@el73-osp11-devel-all-virbr1 ~(keystone_project1-admin-v3)]# rpm -qf /usr/lib/python2.7/site-packages/glance/api/policy.py
python-glance-14.0.0-0.20161130234407.b6d44cd.el7ost.noarch
ort|uniq
And oslo..
python-oslo-config-3.19.0-0.20161104113648.30af7de.el7ost.noarch
python-oslo-context-2.10.0-0.20161023003554.b60ab0f.el7ost.noarch
python-oslo-db-4.14.0-0.20161023004034.21a5c42.el7ost.noarch
python-oslo-messaging-5.12.0-0.20161130114521.b1b3677.1.el7ost.noarch
python-oslo-middleware-3.20.0-0.20161023005625.cc98107.el7ost.noarch
python-oslo-policy-1.16.0-0.20161023004323.573c52b.el7ost.noarch
python-oslo-versionedobjects-1.18.0-0.20161023004925.31bf557.el7ost.noarch
Result was same.
Files:
osp11-devel_result
├── failed
│ ├── project_id:admin_osp11-devel_CLEANUP_LOG
│ ├── project_id:%(project_id)s_osp11-devel_CLEANUP_LOG
│ └── project_id:%(target.project.id)s_osp11-devel_CLEANUP_LOG
├── python-passlib-1.7.0
│ ├── keystone-71cde67_python-passlib-1.7.0.patch
│ ├── python-passlib-1.7.0-2.el7.noarch.rpm
│ ├── python-passlib-1.7.0-2.fc26.src.rpm
│ └── python-passlib.spec.pyton2.patch
├── sosreport-el72-osp9-all-virbr1.example.com-20160914092555.tar.xz
├── sosreport-el73-osp11-devel-all-virbr1.example.com-20161220113130.tar.xz
└── success
├── 801ed79b0ab5459db4daedd43ad1e468_osp11-devel_CLEANUP_LOG
└── blank_osp11-devel_CLEANUP_LOG
3 directories, 11 files
Result:
/etc/glance/policy.json
Success:
- Blank (default): "get_images": "" ---> "default": "role:admin"
- User's Role : "get_images": "role:admin"
- Literal (ID) : "get_images": "project_id:801ed79b0ab5459db4daedd43ad1e468",
Failed:
- Literal (Name) : "get_images": "project_id:admin",
- User attributes: "get_images": "project_id:%(project_id)s",
- User attributes: "get_images": "project_id:%(target.project.id)s",
I'm not sure if this is bz still, but it looks this is our current implementation..?
As I didnt' check this on devstack, but can you check this on upstream build ?
I'm really happy if I could get your thought on this for me to pass it to customer as most current status at this time.
Thanks!
Hi, since I'm tagged as the maintainer of all downstream Oslo packages including oslo.policy, Cyril Roelandt asked me to look at this issue. Masaki Furuta: "But Admin user (project1-admin) in other tenant (project1) can list non-shared image." I'm not sure that I understood correctly your issue, so let me rephrase it. Basically, in Glance, if the connected user has the role "admin" in the tenant used by the connection, Glance see him/her as admin in all tenant. The reported problem is that if the user is admin in the tenant "demo", he/she see all images, including images of the tenant "alt_demo" where he/she doesn't have the admin role. By default, it seems like Glance gives a full access (list all images, see all images) if the user is seen as "admin". Now about oslo.policy: it's a basic ALLOW or DENY firewall. You can write from simple to very complex rules to only ALLOW some users to access an API, and DENY access to all other users. But I don't think that oslo.policy can be used to modify the result of an API call, especially modify the *result* of the Glance "get_images" API. If you would like to use oslo.policy, IMHO Glance shold be modified to check the "get_image" rule on each image returned by get_images. Currently, it's not the case, and I'm not sure that it's a common way to use oslo.policy. Another option would be to modify Glance to add an option to implement your requested behaviour. What Victor said makes sense. Here is a couple of commands to show the issue: haypo@devstack$ . devstack/openrc alt_demo alt_demo WARNING: setting legacy OS_TENANT_NAME to support cli tools. haypo@devstack$ glance image-list +--------------------------------------+---------------------------------+ | ID | Name | +--------------------------------------+---------------------------------+ | c689f571-0003-4dcf-84e1-0d6904a6029c | alt_demo | | d58a0a4c-f130-4308-a717-de9725a83574 | cirros-0.3.4-x86_64-uec | | 86f5fb86-776f-4b22-91b6-89cbe056a01b | cirros-0.3.4-x86_64-uec-kernel | | 8450dc61-73a2-4503-8823-5be5480889d1 | cirros-0.3.4-x86_64-uec-ramdisk | +--------------------------------------+---------------------------------+ haypo@devstack$ . devstack/openrc demo demo WARNING: setting legacy OS_TENANT_NAME to support cli tools. haypo@devstack$ glance image-list +--------------------------------------+---------------------------------+ | ID | Name | +--------------------------------------+---------------------------------+ | d58a0a4c-f130-4308-a717-de9725a83574 | cirros-0.3.4-x86_64-uec | | 86f5fb86-776f-4b22-91b6-89cbe056a01b | cirros-0.3.4-x86_64-uec-kernel | | 8450dc61-73a2-4503-8823-5be5480889d1 | cirros-0.3.4-x86_64-uec-ramdisk | | 528915b8-e056-46e3-82c7-8e1b08a3a40a | demo | +--------------------------------------+---------------------------------+ I think this bug should be clarified and then taken to upstream, since no such development will take place downstream. *** Bug 1401135 has been marked as a duplicate of this bug. *** |