[Yahoo-eng-team] [Bug 1413426] [NEW] Forbidden: Policy doesn't allow compute:get_all_tenants to be performed. (HTTP 403)

Kieran Spear Wed, 21 Jan 2015 16:12:13 -0800

Public bug reported:

Horizon is making requests to admin-only APIs in the project dashboard:


Error while checking action permissions.
Traceback (most recent call last):
  File "/home/kspear/openstack/horizon/horizon/tables/base.py", line 1260, in 
_filter_action
    return action._allowed(request, datum) and row_matched
  File "/home/kspear/openstack/horizon/horizon/tables/actions.py", line 137, in 
_allowed
    return self.allowed(request, datum)
  File 
"/home/kspear/openstack/horizon/openstack_dashboard/dashboards/project/access_and_security/floating_ips/tables.py",
 line 52, in allowed
    usages = quotas.tenant_quota_usages(request)
  File "/home/kspear/openstack/horizon/horizon/utils/memoized.py", line 90, in 
wrapped
    value = cache[key] = func(*args, **kwargs)
  File "/home/kspear/openstack/horizon/openstack_dashboard/usage/quotas.py", 
line 353, in tenant_quota_usages
    _get_tenant_compute_usages(request, usages, disabled_quotas, tenant_id)
  File "/home/kspear/openstack/horizon/openstack_dashboard/usage/quotas.py", 
line 258, in _get_tenant_compute_usages
    request, search_opts={'tenant_id': tenant_id}, all_tenants=True)
  File "/home/kspear/openstack/horizon/openstack_dashboard/api/nova.py", line 
580, in server_list
    for s in c.servers.list(True, search_opts)]
  File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/v1_1/servers.py",
 line 603, in list
    return self._list("/servers%s%s" % (detail, query_string), "servers")
  File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/base.py",
 line 67, in _list
    _resp, body = self.api.client.get(url)
  File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py",
 line 487, in get
    return self._cs_request(url, 'GET', **kwargs)
  File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py",
 line 465, in _cs_request
    resp, body = self._time_request(url, method, **kwargs)
  File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py",
 line 439, in _time_request
    resp, body = self.request(url, method, **kwargs)
  File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py",
 line 433, in request
    raise exceptions.from_response(resp, body, url, method)
Forbidden: Policy doesn't allow compute:get_all_tenants to be performed. (HTTP 
403) (Request-ID: req-8c0549aa-4a3e-4c07-8911-a35196be0a13)


Looks like this commit is the culprit:

commit f5b77f9a145337c22cf29d8017f5df67a6bacb7c
Author: eric <[email protected]>
Date:   Sun Nov 30 07:03:20 2014 -0700

    Quotas for users with admin role do not work
    
    The quotas code does not isloate counts to resources within the
    current tenant/project.  So if a user with the admin role makes
    calls for quota items, the admin role will have counts of a global
    list of resources.  This changes that for the tenant quota call
    to fallback to the request.user.project_id if no project was
    otherwise specified for the tenant quota api call.
    
    Change-Id: Ib0e6ce7774c4c03686a044f233dbb9aa36dbe1b9
    Closes-bug: #1391242

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1413426

Title:
  Forbidden: Policy doesn't allow compute:get_all_tenants to be
  performed. (HTTP 403)

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Horizon is making requests to admin-only APIs in the project
  dashboard:

  Error while checking action permissions.
  Traceback (most recent call last):
    File "/home/kspear/openstack/horizon/horizon/tables/base.py", line 1260, in 
_filter_action
      return action._allowed(request, datum) and row_matched
    File "/home/kspear/openstack/horizon/horizon/tables/actions.py", line 137, 
in _allowed
      return self.allowed(request, datum)
    File 
"/home/kspear/openstack/horizon/openstack_dashboard/dashboards/project/access_and_security/floating_ips/tables.py",
 line 52, in allowed
      usages = quotas.tenant_quota_usages(request)
    File "/home/kspear/openstack/horizon/horizon/utils/memoized.py", line 90, 
in wrapped
      value = cache[key] = func(*args, **kwargs)
    File "/home/kspear/openstack/horizon/openstack_dashboard/usage/quotas.py", 
line 353, in tenant_quota_usages
      _get_tenant_compute_usages(request, usages, disabled_quotas, tenant_id)
    File "/home/kspear/openstack/horizon/openstack_dashboard/usage/quotas.py", 
line 258, in _get_tenant_compute_usages
      request, search_opts={'tenant_id': tenant_id}, all_tenants=True)
    File "/home/kspear/openstack/horizon/openstack_dashboard/api/nova.py", line 
580, in server_list
      for s in c.servers.list(True, search_opts)]
    File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/v1_1/servers.py",
 line 603, in list
      return self._list("/servers%s%s" % (detail, query_string), "servers")
    File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/base.py",
 line 67, in _list
      _resp, body = self.api.client.get(url)
    File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py",
 line 487, in get
      return self._cs_request(url, 'GET', **kwargs)
    File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py",
 line 465, in _cs_request
      resp, body = self._time_request(url, method, **kwargs)
    File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py",
 line 439, in _time_request
      resp, body = self.request(url, method, **kwargs)
    File 
"/home/kspear/openstack/horizon/.venv/local/lib/python2.7/site-packages/novaclient/client.py",
 line 433, in request
      raise exceptions.from_response(resp, body, url, method)
  Forbidden: Policy doesn't allow compute:get_all_tenants to be performed. 
(HTTP 403) (Request-ID: req-8c0549aa-4a3e-4c07-8911-a35196be0a13)

  
  Looks like this commit is the culprit:

  commit f5b77f9a145337c22cf29d8017f5df67a6bacb7c
  Author: eric <[email protected]>
  Date:   Sun Nov 30 07:03:20 2014 -0700

      Quotas for users with admin role do not work
      
      The quotas code does not isloate counts to resources within the
      current tenant/project.  So if a user with the admin role makes
      calls for quota items, the admin role will have counts of a global
      list of resources.  This changes that for the tenant quota call
      to fallback to the request.user.project_id if no project was
      otherwise specified for the tenant quota api call.
      
      Change-Id: Ib0e6ce7774c4c03686a044f233dbb9aa36dbe1b9
      Closes-bug: #1391242

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1413426/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1413426] [NEW] Forbidden: Policy doesn't allow compute:get_all_tenants to be performed. (HTTP 403)

Reply via email to