Bug 1573017

Summary: A user with role _member_ is able to list all AZs
Product: Red Hat OpenStack Reporter: Siggy Sigwald <ssigwald>
Component: openstack-keystoneAssignee: Harry Rybacki <hrybacki>
Status: CLOSED INSUFFICIENT_DATA QA Contact: nlevinki <nlevinki>
Severity: high Docs Contact:
Priority: unspecified    
Version: 10.0 (Newton)CC: dhill, hrybacki, nkinder, pkesavar, srevivo, ssigwald
Target Milestone: ---Flags: hrybacki: needinfo? (ssigwald)
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-11 19:09:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Siggy Sigwald 2018-04-29 19:57:02 UTC
Description of problem:
In a standard OSP 10 installation, I've created a project associated to an AZ. I've created 2 users. one has admin role the other one _member_ role. 
Using the user with role memeber i can still list ALL the AZs. Customer believes this shouldn't be possible.

[root@rhosp10-controller ~(keystone_admin)]# openstack role assignment list --project test-1 --user user-1 --names
+----------+--------+---------+
| Role     | User   | Project |
+----------+--------+---------+
| _member_ | user-1 | test-1  |
+----------+--------+---------+
[root@rhosp10-controller ~(keystone_admin)]# openstack role assignment list --project test-1 --user admin-1 --names
+----------+---------+---------+
| Role     | User    | Project |
+----------+---------+---------+
| _member_ | admin-1 | test-1  |
| admin    | admin-1 | test-1  |
+----------+---------+---------+
[root@rhosp10-controller ~(keystone_admin)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| internal  | available   |
| AZ2       | available   |
| AZ1       | available   |
| nova      | available   |
| nova      | available   |
| nova      | available   |
+-----------+-------------+
[root@rhosp10-controller ~(keystone_admin)]# source keystonerc_user-1
[root@rhosp10-controller ~(user-1)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| AZ2       | available   |
| AZ1       | available   |
| nova      | available   |
| nova      | available   |
| nova      | available   |
+-----------+-------------+

Version-Release number of selected component (if applicable):

python-keystone-10.0.3-1.el7ost.noarch
python-keystoneclient-3.5.1-1.el7ost.noarch
python-keystonemiddleware-4.9.1-1.el7ost.noarch
puppet-keystone-9.5.0-5.el7ost.noarch
openstack-keystone-10.0.3-1.el7ost.noarch
python-keystoneauth1-2.12.3-1.el7ost.noarch

How reproducible:
Same behavior with a brand new OSP 10 install.

Steps to Reproduce:
[root@rhosp10-controller ~(keystone_admin)]# nova aggregate-create az1 AZ1
+----+------+-------------------+-------+-------------------------+
| Id | Name | Availability Zone | Hosts | Metadata                |
+----+------+-------------------+-------+-------------------------+
| 1  | az1  | AZ1               |       | 'availability_zone=AZ1' |
+----+------+-------------------+-------+-------------------------+

[root@rhosp10-controller ~(keystone_admin)]# nova aggregate-add-host az1 rhosp10-compute01
Host rhosp10-compute01 has been successfully added for aggregate 1 
+----+------+-------------------+---------------------+-------------------------+
| Id | Name | Availability Zone | Hosts               | Metadata                |
+----+------+-------------------+---------------------+-------------------------+
| 1  | az1  | AZ1               | 'rhosp10-compute01' | 'availability_zone=AZ1' |
+----+------+-------------------+---------------------+-------------------------+

[root@rhosp10-controller ~(keystone_admin)]# openstack project create test-1 
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| enabled     | True                             |
| id          | 632863bbfa874fc7bbfe6ea74830f0f2 |
| name        | test-1                           |
+-------------+----------------------------------+

[root@rhosp10-controller ~(keystone_admin)]# openstack user create user-1 --project test-1 --password q1w2e3r4 
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| email      | None                             |
| enabled    | True                             |
| id         | 5fea433caa20497b934d6f760c28e031 |
| name       | user-1                           |
| project_id | 632863bbfa874fc7bbfe6ea74830f0f2 |
| username   | user-1                           |
+------------+----------------------------------+


Actual results:

[root@rhosp10-controller ~(user-1)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| AZ2       | available   |
| AZ1       | available   |
+-----------+-------------+


Expected results:

[root@rhosp10-controller ~(user-1)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| AZ1       | available   |
+-----------+-------------+


Additional info:

Comment 3 Harry Rybacki 2018-06-11 19:09:20 UTC
We are closing this bug because we have not received sufficient information to make progress. Please feel free to open this bug again when you are able to provide the required information we requested.