+++ This bug was initially created as a clone of Bug #1486027 +++ Description of problem: When scoped to a particular OSP project (OS_PROJECT_NAME=demo2 ,OS_USERNAME=demo2) a 'gnocchi metric list' shows metrics from the current project and from other projects. Version-Release number of selected component (if applicable): OSP 10 How reproducible: 100% Steps to Reproduce: 1. gnocchi metric list 2. gnocchi metric show (on the returned list and look at the' resource/project_id.' Actual results: gnocchi shows the metrics from the current project and other projects. Expected results: 'metric list' should only return metrics from the current project Additional info: OSP 11 - if you 'gnocchi metric show <metric id>' on a metric that is not in the current project then you get 'Forbidden (HTTP 403)' --- Additional comment from Julien Danjou on 2017-09-07 12:03:31 EDT --- > When scoped to a particular OSP project (OS_PROJECT_NAME=demo2 ,OS_USERNAME=demo2) a 'gnocchi metric list' shows metrics from the current project and from other projects. It should not unless the user is admin. Can you provide more information on what you do exactly? What command you types and what the output is? --- Additional comment from Chris Fields on 2017-09-07 16:10 EDT --- The attachment shows a series of commands that demonstrate that you can see metrics from a project that you are not currently scoped to. This was done on OSP 11. It does mimic the behavior that my customer is seeing in OSP 10, however. The customer expects to see only the metrics for the current project when doing a 'gnocchi metric list.' --- Additional comment from Julien Danjou on 2017-09-08 04:30:58 EDT --- Thanks Chris for the detailled output. There is indeed an ACL matching problem on this request where the user is not used correctly as a filter. I've pushed a fix upstrean and will backport it to OSP10 and OSP11.
This is part of Gnocchi 3.1.11. Prad, can you make sure it's pushed in OSP11?
Hi Julien and Pradeep and all, One update is that in OSP10 we're seeing that "gnocchi metric list" when run as a member of a project/tenant, returns nothing, and that it only returns something when admin runs it. (Earlier it appeared to be returning all metrics, not only those in its project tenant, because it was running with a custom readonly role -- I apologize for that confusion.) Below is an example of current behavior (the policy.json files were updated in nec1 to no longer include the custom readonly role): We were seeing that "gnocchi metric list" returned all metrics, but that appears to have been because of the readonly role. Removing the readonly role from NEC1, in OSP10, "gnocchi metric list" returns a null result for a member of a tenant/project, and only returns a list of metrics for admin, as shown below. As admin "gnocchi metric list" returns metrics: [stack@wcnec1-l-rh-ucld-01 ~]$ ssh ocld0 Last login: Sun Nov 5 18:48:47 2017 from undercloud [heat-admin@wcnec1-l-rh-ocld-0 ~]$ . overcloudrc [heat-admin@wcnec1-l-rh-ocld-0 ~]$ gnocchi metric list | head +--------------------------------------+---------------------+---------------------------------+-----------+--------------------------------------+ | id | archive_policy/name | name | unit | resource_id | +--------------------------------------+---------------------+---------------------------------+-----------+--------------------------------------+ | 00049bc6-a392-441c-9699-a386366b566d | low2 | disk.root.size | None | f6a45e10-e29d-4a35-99e3-38357474c15a | | 0005b5b0-c6d6-49bb-b857-0aa56510c1ea | low2 | network.incoming.packets.rate | None | db88a8e9-b1d3-5717-acec-43fa00bdf0d2 | | 00083d5c-4e2b-431d-a89a-92fee4c7136e | low2 | network.incoming.bytes.rate | B/s | 47351718-939b-5673-a0a1-1d17a18f37e1 | | 0008f974-133b-469f-9447-3e64b1f4dce2 | low2 | disk.device.usage | None | a152cbab-6911-53fa-86f8-7de58e028b19 | | 000a741c-0c54-4cbd-9ab8-a0b53c5e47d3 | low2 | disk.root.size | None | cfc5319f-038c-43eb-a3fd-7aca51a74eff | | 000d619a-dd53-487b-8e5f-62869bb80bc7 | low2 | disk.device.read.bytes.rate | B/s | 7d9f0524-f823-5ebd-99cd-74f55685ad8f | | 0011a43a-577c-4344-bd9e-2047898853cd | low2 | disk.device.write.requests | None | 75d6821f-6964-50da-abbb-96fefd44d10f | [Errno 32] Broken pipe [heat-admin@wcnec1-l-rh-ocld-0 ~]$ openstack role assignment list --project SevOne --user sevone --names +----------+--------+---------+ | Role | User | Project | +----------+--------+---------+ | readonly | sevone | SevOne | | _member_ | sevone | SevOne | +----------+--------+---------+ [heat-admin@wcnec1-l-rh-ocld-0 ~]$ sudo grep -i read /etc/gnocchi/policy.json [heat-admin@wcnec1-l-rh-ocld-0 ~]$ # The readonly role was removed from /etc/gnocchi/policy.json, so the sevone user is now only really a _member_. [heat-admin@wcnec1-l-rh-ocld-0 ~]$ pwd /home/heat-admin [heat-admin@wcnec1-l-rh-ocld-0 ~]$ . keystone_sevone_nec1 [heat-admin@wcnec1-l-rh-ocld-0 ~(openstack_SevOne_sevone_nec1)]$ gnocchi metric list [heat-admin@wcnec1-l-rh-ocld-0 ~(openstack_SevOne_sevone_nec1)]$ # A member of its own tenant cannot see its gnocchi metrics!!! [heat-admin@wcnec1-l-rh-ocld-0 ~(openstack_SevOne_sevone_nec1)]$ Thanks, Susan
Hi Susan, This is not a bug, bug a Keystone ACL limitation currently, see https://bugzilla.redhat.com/show_bug.cgi?id=1487619
1. Created user test, under this user created instance. Observed it's metrics 2. Created user test2, under that user tried to observe test's metrics, got Forbidden (403) 3. Under user test tried to observe admin's metrics, got Forbidden (403) Verified
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0312