Cannot use aggregates API with metric ID as non-admin

[Callum027]

Before reporting an issue on Gnocchi, please be sure to provide all necessary
information.

Which version of Gnocchi are you using

Latest master.

How to reproduce your problem

RBAC policy definitions for the relevant functions:

"is_metric_viewer": "role:_member_ or role:metric_viewer"
"resource_in_project": "project_id:%(project_id)s"
"metric_in_project": "project_id:%(resource.project_id)s"
"resource_read": "rule:context_is_admin or (rule:is_metric_viewer and rule:resource_in_project)"
"metric_read": "rule:context_is_admin or (rule:is_metric_viewer and rule:metric_in_project)"
"search resource": "rule:resource_read"
"get metric": "rule:metric_read"

The user has the correct roles assigned:

(as admin) $ openstack role assignment list --project projectowner1.example.com --names
+------------------+-----------------------------------+-------+-----------------------------------+--------+--------+-----------+
| Role             | User                              | Group | Project                           | Domain | System | Inherited |
+------------------+-----------------------------------+-------+-----------------------------------+--------+--------+-----------+
| heat_stack_owner | [email protected]@Default |       | projectowner1.example.com@Default |        |        | False     |
| _member_         | [email protected]@Default |       | projectowner1.example.com@Default |        |        | False     |
| project_admin    | [email protected]@Default |       | projectowner1.example.com@Default |        |        | False     |
+------------------+-----------------------------------+-------+-----------------------------------+--------+--------+-----------+

I have a metric that is associated with a resource:

(as user) $ openstack metric show 493e0ccd-d78d-4198-a250-f5a902035838
+--------------------------------+-------------------------------------------------------------------+
| Field                          | Value                                                             |
+--------------------------------+-------------------------------------------------------------------+
| archive_policy/name            | met1.telemetry-high-rate                                          |
| creator                        | 65c5ff9138c44b619021222c4a56a5d6:f1544f729fe24c4c8fd5d28295965813 |
| id                             | 493e0ccd-d78d-4198-a250-f5a902035838                              |
| name                           | cpu                                                               |
| resource/created_by_project_id | f1544f729fe24c4c8fd5d28295965813                                  |
| resource/created_by_user_id    | 65c5ff9138c44b619021222c4a56a5d6                                  |
| resource/creator               | 65c5ff9138c44b619021222c4a56a5d6:f1544f729fe24c4c8fd5d28295965813 |
| resource/ended_at              | None                                                              |
| resource/id                    | cd043eaf-12db-4f69-910c-b4dae45c15c4                              |
| resource/original_resource_id  | cd043eaf-12db-4f69-910c-b4dae45c15c4                              |
| resource/project_id            | 97b20a6e6f3b4476a569855b8efe5005                                  |
| resource/revision_end          | None                                                              |
| resource/revision_start        | 2024-12-17T18:41:54.534142+00:00                                  |
| resource/started_at            | 2024-12-17T18:41:54.534129+00:00                                  |
| resource/type                  | instance                                                          |
| resource/user_id               | 61a27648b74d458a86549dc481bbcb90                                  |
| unit                           | None                                                              |
+--------------------------------+-------------------------------------------------------------------+

When I use the aggregates API against it querying by metric name as a project member, everything works correctly:

(as user) $ openstack metric aggregates --start "$(date -u '+%Y-%m-%dT%H:00:00')" --resource-type instance --granularity 600 "(* (/ (metric cpu rate:mean) 600000000000) 100)" "id=cd043eaf-12db-4f69-910c-b4dae45c15c4"
+----------------------------------------------------+---------------------------+-------------+---------------------+
| name                                               | timestamp                 | granularity |               value |
+----------------------------------------------------+---------------------------+-------------+---------------------+
| cd043eaf-12db-4f69-910c-b4dae45c15c4/cpu/rate:mean | 2024-12-19T00:00:00+00:00 |       600.0 | 0.26333333333333336 |
| cd043eaf-12db-4f69-910c-b4dae45c15c4/cpu/rate:mean | 2024-12-19T00:10:00+00:00 |       600.0 | 0.24666666666666665 |
| cd043eaf-12db-4f69-910c-b4dae45c15c4/cpu/rate:mean | 2024-12-19T00:20:00+00:00 |       600.0 | 0.25666666666666665 |
+----------------------------------------------------+---------------------------+-------------+---------------------+

This does not work, however, when I give it the metric ID directly, and do not use the resource metric code path.

Looking at the code, it looks like details=True is not set when querying for the metrics from the index using the aggregates API, causing the Resource relation to not be populated. Not sure if this is actually the cause of the issue as I'd think the filtering would be done in the database query itself, but it was something I noticed.

What is the result that you get

(as user) $ openstack metric aggregates --start "$(date -u '+%Y-%m-%dT%H:00:00')" --granularity 600 "(* (/ (metric 493e0ccd-d78d-4198-a250-f5a902035838 rate:mean) 600000000000) 100)"
Forbidden (HTTP 403)

What is result that you expected

(as user) $ openstack metric aggregates --start "$(date -u '+%Y-%m-%dT%H:00:00')" --granularity 600 "(* (/ (metric 493e0ccd-d78d-4198-a250-f5a902035838 rate:mean) 600000000000) 100)"
+------------------------------------------------+---------------------------+-------------+---------------------+
| name                                           | timestamp                 | granularity |               value |
+------------------------------------------------+---------------------------+-------------+---------------------+
| 493e0ccd-d78d-4198-a250-f5a902035838/rate:mean | 2024-12-19T00:00:00+00:00 |       600.0 | 0.26333333333333336 |
| 493e0ccd-d78d-4198-a250-f5a902035838/rate:mean | 2024-12-19T00:10:00+00:00 |       600.0 | 0.24666666666666665 |
| 493e0ccd-d78d-4198-a250-f5a902035838/rate:mean | 2024-12-19T00:20:00+00:00 |       600.0 | 0.25666666666666665 |
+------------------------------------------------+---------------------------+-------------+---------------------+

[chungg]

Looking at the code, it looks like details=True is not set when querying for the metrics from the index using the aggregates API, causing the Resource relation to not be populated. Not sure if this is actually the cause of the issue as I'd think the filtering would be done in the database query itself, but it was something I noticed.

i think you're right. seems like it's missing details=True similar to #464.

that said, i think that's also the default policy so i would expect some tests to fail: https://github.com/gnocchixyz/gnocchi/blob/master/gnocchi/tests/functional/gabbits/aggregates-with-metric-ids.yaml#L144-L149 which is strange