1633522 – Openstack Domains are not isolated when is_admin is 'true'

Bug 1633522 - Openstack Domains are not isolated when is_admin is 'true'

Summary: Openstack Domains are not isolated when is_admin is 'true'

Keywords:
Status:	ON_QA
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Providers
Sub Component:
Version:	5.10.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	GA
Target Release:	5.10.0
Assignee:	Sam Lucidi
QA Contact:	Sudhir Mallamprabhakara
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-27 08:28 UTC by Pradeep Kumar Surisetty
Modified:	2026-01-06 08:27 UTC (History)
CC List:	11 users (show)
Fixed In Version:	5.10.0.25
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Category:	---
Cloudforms Team:	Openstack
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
CFME UI with multi domain when is_admin is false (9.30 KB, image/png) 2018-09-27 08:28 UTC, Pradeep Kumar Surisetty	no flags	Details
CFME UI with multi domain when is_admin is true (15.42 KB, image/png) 2018-09-27 08:29 UTC, Pradeep Kumar Surisetty	no flags	Details
Default domain details (78.11 KB, image/png) 2018-09-27 08:30 UTC, Pradeep Kumar Surisetty	no flags	Details
View All

Description Pradeep Kumar Surisetty 2018-09-27 08:28:03 UTC

Description of problem:

OSP10 provider has: 

Keystone v3, 506 vms , 200 tenants, 5 domains, 20 networks, 200 images.

 openstack domain list
+----------------------------------+--------------+---------+--------------------+
| ID                               | Name         | Enabled | Description        |
+----------------------------------+--------------+---------+--------------------+
| 699cc2300b0e4b02bb80aca58a93b09b | test         | True    |                    |
| 73bb7a33c21a403fbe031673e72bd443 | admin_domain | True    |                    |
| b882d9499ab4401d82d0e321a871117c | heat_stack   | True    |                    |
| bde3b6831fe2462eb30b17688252b7ab | dom1         | True    |                    |
| default                          | Default      | True    | The default domain |
| f6a03b62d5d740a182319ac7474d8384 | domain1      | True    |                    |
+----------------------------------+--------------+---------+--------------------+

Added Default domain& test domain as OSP providers to CFME, when is_admin is yes. (To improve refresh time, is_admin is set to yes).  'test' domain lists 'default' domain instances on CFME UI. Domains are not isolated on CFME. test domain is just a replica of default domain on CFME UI. 


CFME Configuration: 

  :openstack:
    :is_admin: true
    :heat:
      :is_global_admin: false
    :inventory_object_refresh: true
    :allow_targeted_refresh: true
  :openstack_network:
    :is_admin: true
    :inventory_object_refresh: true
    :allow_targeted_refresh: true
  :cinder:
    :is_admin: true
    :inventory_object_refresh: true
    :allow_targeted_refresh: true




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Add multiple OSP10 keystone v3 domains as different providers to CFME
2.
3.

Actual results:
Domains are not isolated. Each domain list default domain details as shown in attachment. 

Expected results:

DOmains should be isolat


Additional info:

Comment 2 Pradeep Kumar Surisetty 2018-09-27 08:28:49 UTC

Created attachment 1487667 [details]
CFME UI with multi domain when is_admin is false

Comment 3 Pradeep Kumar Surisetty 2018-09-27 08:29:17 UTC

Created attachment 1487668 [details]
CFME UI with multi domain when is_admin is true

Comment 4 Pradeep Kumar Surisetty 2018-09-27 08:30:37 UTC

Created attachment 1487669 [details]
Default domain details

Comment 5 Ladislav Smola 2018-09-27 10:13:52 UTC

@Sam: looks like :is_admin always loads the default domain? Not sure if we have tests for for keystone v3 and is_admin?

Comment 7 Sam Lucidi 2018-09-27 20:04:38 UTC

I'm not sure that what's going on here is a CFME issue. The 'test' user is able to see everything even in the openstack CLI tool using the '--all-projects' flag, which is admin-restricted. My hunch is that a domain-based policy (using cloud_admin and etc) isn't in place, so since 'test' is admin of a tenant, it's treated as a global admin and gets to see everything. 

Pradeep, can you check the keystone policy rules on your environment and determine whether that is the case?

Comment 11 anil venkata 2018-09-28 09:33:39 UTC

/etc/nova/policy.json in that setup is empty, so nova is not enforcing any policy rules for the api from users. I think that is the reason why users with any token were able to access all nova instances.

Comment 12 anil venkata 2018-09-28 10:41:41 UTC

Also test user is assigned with global admin role. So he can access any openstack resources.

Comment 13 Sam Lucidi 2018-10-01 16:33:05 UTC

Since this appears to be an OpenStack policy issue rather than a Cloudforms issue, I recommend contacting the RHOSP dev team for advice on how to achieve the desired domain isolation.

Comment 14 anil venkata 2018-10-03 18:35:04 UTC

Please ignore my comment 11.

openstack server list --all-projects
Will work only when a user is assigned keystone global admin role. Then this API for admin role, will fetch all projects including projects from other domain. We can't change nova policy here as nova doesn't implement domains.

Nova, neutron and other openstack components except keystone don't implement domains i.e don't understand tree-like structured hierarchy. So we can't request nova to list servers specific to a domain. 

We can't implement any changes in OSP.

We can have a workaround in CFME
1) Get all projects belonging to a domain as keystone v3 can understand domains
2) Then for each project, list OSP resources (like nova servers)

Comment 15 Sam Lucidi 2018-10-03 19:15:25 UTC

"We can have a workaround in CFME
1) Get all projects belonging to a domain as keystone v3 can understand domains
2) Then for each project, list OSP resources (like nova servers)"

This is what CFME does when "is_admin" is turned off. However, this multiplies the number of Openstack API calls CFME has to make by the number of projects the user has membership in. This of course is very slow, especially in environments with a large number of projects, such as the test environment.

Comment 16 Ladislav Smola 2018-10-04 07:58:58 UTC

So if the admin gives us everything, we can fetch all the data, but store only those related to the specified domain? It sucks that we'll be fetching and throwing data away, but it might be faster than doing individual queries. (later we would remodel it that 1 provider can have multiple domains defined?)

Or if we'll need to fetch resources per tenant, we can at least do it in multiple threads, check e.g. https://github.com/Ladas/manageiq-providers-azure/blob/271bf8ae0bebb3f37281803d12baa47d28941529/app/models/manageiq/providers/azure/inventory/collector.rb#L365

Comment 17 Sam Lucidi 2018-10-19 19:59:47 UTC

https://github.com/ManageIQ/manageiq-providers-openstack/pull/374 adds an option to parallelize the inventory collection process, speeding it up significantly even with is_admin off. This would solve the issue as I understand it by obviating the need to have that flag on.

Note You need to log in before you can comment on or make changes to this bug.