1573017 – A user with role _member_ is able to list all AZs

Bug 1573017 - A user with role _member_ is able to list all AZs

Summary: A user with role _member_ is able to list all AZs

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-keystone
Sub Component:
Version:	10.0 (Newton)
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Harry Rybacki
QA Contact:	nlevinki
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-29 19:57 UTC by Siggy Sigwald
Modified:	2023-09-15 00:07 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-06-11 19:09:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Siggy Sigwald 2018-04-29 19:57:02 UTC

Description of problem:
In a standard OSP 10 installation, I've created a project associated to an AZ. I've created 2 users. one has admin role the other one _member_ role. 
Using the user with role memeber i can still list ALL the AZs. Customer believes this shouldn't be possible.

[root@rhosp10-controller ~(keystone_admin)]# openstack role assignment list --project test-1 --user user-1 --names
+----------+--------+---------+
| Role     | User   | Project |
+----------+--------+---------+
| _member_ | user-1 | test-1  |
+----------+--------+---------+
[root@rhosp10-controller ~(keystone_admin)]# openstack role assignment list --project test-1 --user admin-1 --names
+----------+---------+---------+
| Role     | User    | Project |
+----------+---------+---------+
| _member_ | admin-1 | test-1  |
| admin    | admin-1 | test-1  |
+----------+---------+---------+
[root@rhosp10-controller ~(keystone_admin)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| internal  | available   |
| AZ2       | available   |
| AZ1       | available   |
| nova      | available   |
| nova      | available   |
| nova      | available   |
+-----------+-------------+
[root@rhosp10-controller ~(keystone_admin)]# source keystonerc_user-1
[root@rhosp10-controller ~(user-1)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| AZ2       | available   |
| AZ1       | available   |
| nova      | available   |
| nova      | available   |
| nova      | available   |
+-----------+-------------+

Version-Release number of selected component (if applicable):

python-keystone-10.0.3-1.el7ost.noarch
python-keystoneclient-3.5.1-1.el7ost.noarch
python-keystonemiddleware-4.9.1-1.el7ost.noarch
puppet-keystone-9.5.0-5.el7ost.noarch
openstack-keystone-10.0.3-1.el7ost.noarch
python-keystoneauth1-2.12.3-1.el7ost.noarch

How reproducible:
Same behavior with a brand new OSP 10 install.

Steps to Reproduce:
[root@rhosp10-controller ~(keystone_admin)]# nova aggregate-create az1 AZ1
+----+------+-------------------+-------+-------------------------+
| Id | Name | Availability Zone | Hosts | Metadata                |
+----+------+-------------------+-------+-------------------------+
| 1  | az1  | AZ1               |       | 'availability_zone=AZ1' |
+----+------+-------------------+-------+-------------------------+

[root@rhosp10-controller ~(keystone_admin)]# nova aggregate-add-host az1 rhosp10-compute01
Host rhosp10-compute01 has been successfully added for aggregate 1 
+----+------+-------------------+---------------------+-------------------------+
| Id | Name | Availability Zone | Hosts               | Metadata                |
+----+------+-------------------+---------------------+-------------------------+
| 1  | az1  | AZ1               | 'rhosp10-compute01' | 'availability_zone=AZ1' |
+----+------+-------------------+---------------------+-------------------------+

[root@rhosp10-controller ~(keystone_admin)]# openstack project create test-1 
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| enabled     | True                             |
| id          | 632863bbfa874fc7bbfe6ea74830f0f2 |
| name        | test-1                           |
+-------------+----------------------------------+

[root@rhosp10-controller ~(keystone_admin)]# openstack user create user-1 --project test-1 --password q1w2e3r4 
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| email      | None                             |
| enabled    | True                             |
| id         | 5fea433caa20497b934d6f760c28e031 |
| name       | user-1                           |
| project_id | 632863bbfa874fc7bbfe6ea74830f0f2 |
| username   | user-1                           |
+------------+----------------------------------+


Actual results:

[root@rhosp10-controller ~(user-1)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| AZ2       | available   |
| AZ1       | available   |
+-----------+-------------+


Expected results:

[root@rhosp10-controller ~(user-1)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| AZ1       | available   |
+-----------+-------------+


Additional info:

Comment 3 Harry Rybacki 2018-06-11 19:09:20 UTC

We are closing this bug because we have not received sufficient information to make progress. Please feel free to open this bug again when you are able to provide the required information we requested.

Comment 4 Red Hat Bugzilla 2023-09-15 00:07:52 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.