1470134 – Unprivileged user can't access to its Gnocchi resources created by Ceilometer

Bug 1470134 - Unprivileged user can't access to its Gnocchi resources created by Ceilometer

Summary: Unprivileged user can't access to its Gnocchi resources created by Ceilometer

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-aodh
Sub Component:
Version:	10.0 (Newton)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z4
Target Release:	10.0 (Newton)
Assignee:	Mehdi ABAAKOUK
QA Contact:	Sasha Smolyak
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1470167 1471234 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-12 12:33 UTC by Mehdi ABAAKOUK
Modified:	2020-12-14 09:05 UTC (History)
CC List:	14 users (show)
Fixed In Version:	openstack-aodh-3.0.3-1.el7ost
Doc Type:	Bug Fix
Doc Text:	Alarm created with unprivileged user cannot retrieve statistics from Gnocchi. This version fixes that. Any alarms created before this release must be updated or recreated to pick up this fix.
Clone Of:
Environment:
Last Closed:	2017-09-06 17:06:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1703824	None	None	None	2017-07-12 12:35:37 UTC
OpenStack gerrit	482947	None	None	None	2017-07-12 12:36:02 UTC
OpenStack gerrit	483439	None	None	None	2017-07-13 15:30:03 UTC
RDO	7638	None	None	None	2017-07-13 15:30:39 UTC
Red Hat Product Errata	RHBA-2017:2653	normal	SHIPPED_LIVE	Red Hat OpenStack Platform 10 Bug Fix and Enhancement Advisory	2017-09-06 20:54:38 UTC

Description Mehdi ABAAKOUK 2017-07-12 12:33:03 UTC

Description of problem:

https://bugs.launchpad.net/aodh/+bug/1703824

Comment 1 Mehdi ABAAKOUK 2017-07-12 12:35:20 UTC

When an unprivileged user want to access to Gnocchi resources
created by Ceilometer, that doesn't work because the filter scope
the Gnocchi query to resource owner to the user.

This break Heat + Aodh with trust.
Heat creates Aodh alarm with the user project.
Ceilometer creates resources and metrics in Gnocchi with the service users.

Aodh can't access to the resource of the user to evaluate the alarm.

Comment 2 Mehdi ABAAKOUK 2017-07-12 14:31:02 UTC

*** Bug 1470167 has been marked as a duplicate of this bug. ***

Comment 6 Mehdi ABAAKOUK 2017-07-17 13:49:21 UTC

*** Bug 1471234 has been marked as a duplicate of this bug. ***

Comment 9 Mehdi ABAAKOUK 2017-07-17 14:21:01 UTC

We have also added your use case in upstream testing: https://review.openstack.org/#/c/459659/

Comment 12 Mark Lamourine 2017-07-18 18:12:09 UTC

A first pass indicates that this is successful. We have been able to create a Heat stack on OSP10 with OCP3.4 which scales both up and down when the load on the OCP app nodes is added and removed.

Comment 17 Mark Lamourine 2017-07-19 20:09:33 UTC

For the openshift-heat-templates, the update has been tested with the hotfix using OCP3.4 on OSP10:

https://github.com/redhat-openstack/openshift-on-openstack/pull/374

Comment 24 errata-xmlrpc 2017-09-06 17:06:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2653

Note You need to log in before you can comment on or make changes to this bug.