[Yahoo-eng-team] [Bug 1233707] Re: neutron http policy check broken

Armando Migliaccio Thu, 22 Oct 2015 13:16:48 -0700

** No longer affects: neutron

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1233707


Title:
  neutron http policy check broken

Status in oslo-incubator:
  Fix Released

Bug description:
  Neutron in theory should support HttpCheck as a policy element:

  
https://github.com/openstack/neutron/blob/master/neutron/openstack/common/policy.py#L747

  So I ran a little http server on localhost and added this line to the 
policy.json file:
      "create_network": "http://127.0.0.1:8080/ or rule:default",

  It turns out the http post never made it to the http server.

  Here, the code is trying to populate a json string with variable target:
  
https://github.com/openstack/neutron/blob/master/neutron/openstack/common/policy.py#L757

  And in execution, we have:

  2013-10-01 14:22:32.092 ERROR neutron.openstack.common.policy [-] 
target={'router:external': <object object at 0x7fc3ae693170>, u'name': u'net1', 
'provider:physical_network': <object object at 0x7fc3ae693170>, 
u'admin_state_up': True, 'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 
'provider:network_type': <object object at 0x7fc3ae693170>, 'shared': False, 
'provider:segmentation_id': <object object at 0x7fc3ae693170>}
  creds={'user_id': u'0495af214c2c4bdd99fadb7a7c69630e', 'roles': [u'admin'], 
'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 'is_admin': True, 
'timestamp': '2013-10-01 14:22:32.079282', 'project_id': 
u'881d9a4a7c4a486b94fae690e6d613fb', 'read_deleted': 'no'}
  url=http://127.0.0.1:8080/{'router:external': <object object at 
0x7fc3ae693170>, u'name': u'net1', 'provider:physical_network': <object object 
at 0x7fc3ae693170>, u'admin_state_up': True, 'tenant_id': 
u'881d9a4a7c4a486b94fae690e6d613fb', 'provider:network_type': <object object at 
0x7fc3ae693170>, 'shared': False, 'provider:segmentation_id': <object object at 
0x7fc3ae693170>}
  2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy Traceback (most 
recent call last):
  2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy   File 
"/usr/lib/python2.7/dist-packages/routes/middleware.py", line 52, in __call__
  2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy     qs = 
environ['QUERY_STRING']
  2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy KeyError: 
'QUERY_STRING'
  2013-10-01 14:22:32.092 TRACE neutron.openstack.common.policy
  2013-10-01 14:22:32.092 ERROR neutron.api.v2.resource [-] create failed
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource Traceback (most recent 
call last):
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/api/v2/resource.py", line 84, in resource
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     result = 
method(request=request, **args)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/api/v2/base.py", line 357, in create
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     
item[self._resource])
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/policy.py", line 379, in enforce
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     
exc=exceptions.PolicyNotAuthorized, action=action)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/openstack/common/policy.py", line 169, in check
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     result = 
rule(target, creds)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/openstack/common/policy.py", line 732, in __call__
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     return 
_rules[self.match](target, creds)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/openstack/common/policy.py", line 366, in __call__
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     if rule(target, 
cred):
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/openstack/common/policy.py", line 758, in __call__
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     data = {'target': 
jsonutils.dumps(target),
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/opt/stack/neutron/neutron/openstack/common/jsonutils.py", line 151, in dumps
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     return 
json.dumps(value, default=default, **kwargs)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/usr/lib/python2.7/json/__init__.py", line 238, in dumps
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     **kw).encode(obj)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/usr/lib/python2.7/json/encoder.py", line 200, in encode
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     chunks = 
self.iterencode(o, _one_shot=True)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource   File 
"/usr/lib/python2.7/json/encoder.py", line 263, in iterencode
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource     return 
_iterencode(o, 0)
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource ValueError: Circular 
reference detected
  2013-10-01 14:22:32.092 TRACE neutron.api.v2.resource

  Basically, the target variable looks like this when converted to string:
  {'router:external': <object object at 0x7fc3ae693170>, u'name': u'net1', 
'provider:physical_network': <object object at 0x7fc3ae693170>, 
u'admin_state_up': True, 'tenant_id': u'881d9a4a7c4a486b94fae690e6d613fb', 
'provider:network_type': <object object at 0x7fc3ae693170>, 'shared': False, 
'provider:segmentation_id': <object object at 0x7fc3ae693170>}

  I wonder if we should change the action to the url parameter and post
  the target as the post body.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oslo-incubator/+bug/1233707/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1233707] Re: neutron http policy check broken

Reply via email to