Bug 1573017 - A user with role _member_ is able to list all AZs [NEEDINFO]
Summary: A user with role _member_ is able to list all AZs
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: 10.0 (Newton)
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
: ---
Assignee: Harry Rybacki
QA Contact: nlevinki
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-29 19:57 UTC by Siggy Sigwald
Modified: 2020-01-16 15:23 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-11 19:09:20 UTC
Target Upstream Version:
hrybacki: needinfo? (ssigwald)


Attachments (Terms of Use)

Description Siggy Sigwald 2018-04-29 19:57:02 UTC
Description of problem:
In a standard OSP 10 installation, I've created a project associated to an AZ. I've created 2 users. one has admin role the other one _member_ role. 
Using the user with role memeber i can still list ALL the AZs. Customer believes this shouldn't be possible.

[root@rhosp10-controller ~(keystone_admin)]# openstack role assignment list --project test-1 --user user-1 --names
+----------+--------+---------+
| Role     | User   | Project |
+----------+--------+---------+
| _member_ | user-1 | test-1  |
+----------+--------+---------+
[root@rhosp10-controller ~(keystone_admin)]# openstack role assignment list --project test-1 --user admin-1 --names
+----------+---------+---------+
| Role     | User    | Project |
+----------+---------+---------+
| _member_ | admin-1 | test-1  |
| admin    | admin-1 | test-1  |
+----------+---------+---------+
[root@rhosp10-controller ~(keystone_admin)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| internal  | available   |
| AZ2       | available   |
| AZ1       | available   |
| nova      | available   |
| nova      | available   |
| nova      | available   |
+-----------+-------------+
[root@rhosp10-controller ~(keystone_admin)]# source keystonerc_user-1
[root@rhosp10-controller ~(user-1)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| AZ2       | available   |
| AZ1       | available   |
| nova      | available   |
| nova      | available   |
| nova      | available   |
+-----------+-------------+

Version-Release number of selected component (if applicable):

python-keystone-10.0.3-1.el7ost.noarch
python-keystoneclient-3.5.1-1.el7ost.noarch
python-keystonemiddleware-4.9.1-1.el7ost.noarch
puppet-keystone-9.5.0-5.el7ost.noarch
openstack-keystone-10.0.3-1.el7ost.noarch
python-keystoneauth1-2.12.3-1.el7ost.noarch

How reproducible:
Same behavior with a brand new OSP 10 install.

Steps to Reproduce:
[root@rhosp10-controller ~(keystone_admin)]# nova aggregate-create az1 AZ1
+----+------+-------------------+-------+-------------------------+
| Id | Name | Availability Zone | Hosts | Metadata                |
+----+------+-------------------+-------+-------------------------+
| 1  | az1  | AZ1               |       | 'availability_zone=AZ1' |
+----+------+-------------------+-------+-------------------------+

[root@rhosp10-controller ~(keystone_admin)]# nova aggregate-add-host az1 rhosp10-compute01
Host rhosp10-compute01 has been successfully added for aggregate 1 
+----+------+-------------------+---------------------+-------------------------+
| Id | Name | Availability Zone | Hosts               | Metadata                |
+----+------+-------------------+---------------------+-------------------------+
| 1  | az1  | AZ1               | 'rhosp10-compute01' | 'availability_zone=AZ1' |
+----+------+-------------------+---------------------+-------------------------+

[root@rhosp10-controller ~(keystone_admin)]# openstack project create test-1 
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | None                             |
| enabled     | True                             |
| id          | 632863bbfa874fc7bbfe6ea74830f0f2 |
| name        | test-1                           |
+-------------+----------------------------------+

[root@rhosp10-controller ~(keystone_admin)]# openstack user create user-1 --project test-1 --password q1w2e3r4 
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| email      | None                             |
| enabled    | True                             |
| id         | 5fea433caa20497b934d6f760c28e031 |
| name       | user-1                           |
| project_id | 632863bbfa874fc7bbfe6ea74830f0f2 |
| username   | user-1                           |
+------------+----------------------------------+


Actual results:

[root@rhosp10-controller ~(user-1)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| AZ2       | available   |
| AZ1       | available   |
+-----------+-------------+


Expected results:

[root@rhosp10-controller ~(user-1)]# openstack availability zone list
+-----------+-------------+
| Zone Name | Zone Status |
+-----------+-------------+
| AZ1       | available   |
+-----------+-------------+


Additional info:

Comment 3 Harry Rybacki 2018-06-11 19:09:20 UTC
We are closing this bug because we have not received sufficient information to make progress. Please feel free to open this bug again when you are able to provide the required information we requested.


Note You need to log in before you can comment on or make changes to this bug.