Bug 1489773

Summary: 'gnocchi metric list' shows metrics from other projects
Product: Red Hat OpenStack Reporter: Julien Danjou <jdanjou>
Component: openstack-gnocchiAssignee: Julien Danjou <jdanjou>
Status: CLOSED ERRATA QA Contact: Sasha Smolyak <ssmolyak>
Severity: medium Docs Contact:
Priority: low    
Version: 11.0 (Ocata)CC: apevec, augol, dmacpher, jdanjou, jschluet, lhh, marjones, pkilambi, ssmolyak, susan.coombs
Target Milestone: z4Keywords: Triaged, ZStream
Target Release: 11.0 (Ocata)   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-gnocchi-3.1.11-1.el7ost Doc Type: Bug Fix
Doc Text:
A bug in the ACL filter caused all metrics for all users to display for non-admin users. This fix corrects the filter. Now non-admin users only have access to metrics designated through the ACL filter.
 Story Points: ---
Clone Of: 1486027 Environment:
Last Closed: 2018-02-13 16:42:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1486027    
Bug Blocks:    

Description Julien Danjou 2017-09-08 11:03:44 UTC 
+++ This bug was initially created as a clone of Bug #1486027 +++

Description of problem:
When scoped to a particular OSP project (OS_PROJECT_NAME=demo2
,OS_USERNAME=demo2) a 'gnocchi metric list' shows metrics from the current project and from other projects.  

Version-Release number of selected component (if applicable):
OSP 10

How reproducible:
100%

Steps to Reproduce:
1. gnocchi metric list
2. gnocchi metric show (on the returned list and look at the' resource/project_id.'  


Actual results:
gnocchi shows the metrics from the current project and other projects.  

Expected results:
'metric list' should only return metrics from the current project

Additional info:
OSP 11 - if you 'gnocchi metric show <metric id>' on a metric that is not in the current project then you get 'Forbidden (HTTP 403)'

--- Additional comment from Julien Danjou on 2017-09-07 12:03:31 EDT ---

> When scoped to a particular OSP project (OS_PROJECT_NAME=demo2
,OS_USERNAME=demo2) a 'gnocchi metric list' shows metrics from the current project and from other projects.  

It should not unless the user is admin. Can you provide more information on what you do exactly? What command you types and what the output is?

--- Additional comment from Chris Fields on 2017-09-07 16:10 EDT ---

The attachment shows a series of commands that demonstrate that you can see metrics from a project that you are not currently scoped to.  This was done on OSP 11.  It does mimic the behavior that my customer is seeing in OSP 10, however.  

The customer expects to see only the metrics for the current project when doing a 'gnocchi metric list.'

--- Additional comment from Julien Danjou on 2017-09-08 04:30:58 EDT ---

Thanks Chris for the detailled output. There is indeed an ACL matching problem on this request where the user is not used correctly as a filter.

I've pushed a fix upstrean and will backport it to OSP10 and OSP11.
Comment 1 Julien Danjou 2017-09-27 07:20:27 UTC 
This is part of Gnocchi 3.1.11.

Prad, can you make sure it's pushed in OSP11?
Comment 2 Susan Coombs 2017-11-08 00:28:42 UTC 
Hi Julien and Pradeep and all,

One update is that in OSP10 we're seeing that "gnocchi metric list" when run as a member of a project/tenant, returns nothing, and that it only returns something when admin runs it. (Earlier it appeared to be returning all metrics, not only those in its project tenant, because it was running with a custom readonly role -- I apologize for that confusion.)

Below is an example of current behavior (the policy.json files were updated in nec1 to no longer include the custom readonly role):

We were seeing that "gnocchi metric list" returned all metrics, but that appears to have been because of the readonly role.

Removing the readonly role from NEC1, in OSP10, "gnocchi metric list" returns a null result for a member of a tenant/project, and only returns a list of metrics for admin, as shown below. 

As admin "gnocchi metric list" returns metrics:

[stack@wcnec1-l-rh-ucld-01 ~]$ ssh ocld0
Last login: Sun Nov  5 18:48:47 2017 from undercloud
[heat-admin@wcnec1-l-rh-ocld-0 ~]$ . overcloudrc
[heat-admin@wcnec1-l-rh-ocld-0 ~]$ gnocchi metric list | head
+--------------------------------------+---------------------+---------------------------------+-----------+--------------------------------------+
| id                                   | archive_policy/name | name                            | unit      | resource_id                          |
+--------------------------------------+---------------------+---------------------------------+-----------+--------------------------------------+
| 00049bc6-a392-441c-9699-a386366b566d | low2                | disk.root.size                  | None      | f6a45e10-e29d-4a35-99e3-38357474c15a |
| 0005b5b0-c6d6-49bb-b857-0aa56510c1ea | low2                | network.incoming.packets.rate   | None      | db88a8e9-b1d3-5717-acec-43fa00bdf0d2 |
| 00083d5c-4e2b-431d-a89a-92fee4c7136e | low2                | network.incoming.bytes.rate     | B/s       | 47351718-939b-5673-a0a1-1d17a18f37e1 |
| 0008f974-133b-469f-9447-3e64b1f4dce2 | low2                | disk.device.usage               | None      | a152cbab-6911-53fa-86f8-7de58e028b19 |
| 000a741c-0c54-4cbd-9ab8-a0b53c5e47d3 | low2                | disk.root.size                  | None      | cfc5319f-038c-43eb-a3fd-7aca51a74eff |
| 000d619a-dd53-487b-8e5f-62869bb80bc7 | low2                | disk.device.read.bytes.rate     | B/s       | 7d9f0524-f823-5ebd-99cd-74f55685ad8f |
| 0011a43a-577c-4344-bd9e-2047898853cd | low2                | disk.device.write.requests      | None      | 75d6821f-6964-50da-abbb-96fefd44d10f |
[Errno 32] Broken pipe
[heat-admin@wcnec1-l-rh-ocld-0 ~]$ openstack role assignment list --project SevOne --user sevone --names
+----------+--------+---------+
| Role     | User   | Project |
+----------+--------+---------+
| readonly | sevone | SevOne  |
| _member_ | sevone | SevOne  |
+----------+--------+---------+
[heat-admin@wcnec1-l-rh-ocld-0 ~]$ sudo grep -i read /etc/gnocchi/policy.json
[heat-admin@wcnec1-l-rh-ocld-0 ~]$ # The readonly role was removed from /etc/gnocchi/policy.json, so the sevone user is now only really a _member_.
[heat-admin@wcnec1-l-rh-ocld-0 ~]$ pwd
/home/heat-admin
[heat-admin@wcnec1-l-rh-ocld-0 ~]$ . keystone_sevone_nec1 
[heat-admin@wcnec1-l-rh-ocld-0 ~(openstack_SevOne_sevone_nec1)]$ gnocchi metric list

[heat-admin@wcnec1-l-rh-ocld-0 ~(openstack_SevOne_sevone_nec1)]$ # A member of its own tenant cannot see its gnocchi metrics!!!
[heat-admin@wcnec1-l-rh-ocld-0 ~(openstack_SevOne_sevone_nec1)]$ 

Thanks,

Susan
Comment 3 Julien Danjou 2017-11-08 07:41:58 UTC 
Hi Susan,

This is not a bug, bug a Keystone ACL limitation currently, see https://bugzilla.redhat.com/show_bug.cgi?id=1487619
Comment 12 Sasha Smolyak 2017-11-30 08:21:23 UTC 
1. Created user test, under this user created instance. Observed it's metrics
2. Created user test2, under that user tried to observe test's metrics, got Forbidden (403)
3. Under user test tried to observe admin's metrics, got Forbidden (403)

Verified
Comment 16 errata-xmlrpc 2018-02-13 16:42:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0312