yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1534954] [NEW] policy rule for update_port is inconsistent

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: ZongKai LI <lzklibj@xxxxxxxxxx>
Date: Sat, 16 Jan 2016 16:20:41 -0000
Reply-to: Bug 1534954 <1534954@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

For user from a common tenant, per [1]
https://github.com/openstack/neutron/blob/master/etc/policy.json#L77 ,
seems network owner shouldn't have privilege to update port on her/his
network if she/he is not port owner.

But per [2]
https://github.com/openstack/neutron/blob/master/etc/policy.json#L78-L85
, seems network owner still have chance to update port attributes such
as device_owner, fixed_ips, port_security_enabled, mac_learning_enabled,
allowed_address_pairs.

This is inconsistent, per [1], policy rule "rule:admin_or_network_owner"
in [2] should be updated to "admin_or_owner".

** Affects: neutron
     Importance: Undecided
     Assignee: ZongKai LI (lzklibj)
         Status: In Progress

** Changed in: neutron
     Assignee: (unassigned) => ZongKai LI (lzklibj)

** Description changed:

  For user from a common tenant, per [1]
  https://github.com/openstack/neutron/blob/master/etc/policy.json#L77 ,
  seems network owner shouldn't have privilege to update port on her/his
  network if she/he is not port owner.
  
  But per [2]
  https://github.com/openstack/neutron/blob/master/etc/policy.json#L78-L85
  , seems network owner still have chance to update port attributes such
  as device_owner, fixed_ips, port_security_enabled, mac_learning_enabled,
  allowed_address_pairs.
  
  This is inconsistent, per [1], policy rule "rule:admin_or_network_owner"
- should be updated to "admin_or_owner".
+ in [2] should be updated to "admin_or_owner".

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1534954

Title:
  policy rule for update_port is inconsistent

Status in neutron:
  In Progress

Bug description:
  For user from a common tenant, per [1]
  https://github.com/openstack/neutron/blob/master/etc/policy.json#L77 ,
  seems network owner shouldn't have privilege to update port on her/his
  network if she/he is not port owner.

  But per [2]
  https://github.com/openstack/neutron/blob/master/etc/policy.json#L78-L85
  , seems network owner still have chance to update port attributes such
  as device_owner, fixed_ips, port_security_enabled,
  mac_learning_enabled, allowed_address_pairs.

  This is inconsistent, per [1], policy rule
  "rule:admin_or_network_owner" in [2] should be updated to
  "admin_or_owner".

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1534954/+subscriptions

Follow ups

[Bug 1534954] Re: policy rule for update_port is inconsistent
From: Rodolfo Alonso, 2022-11-30
[Bug 1534954] Re: policy rule for update_port is inconsistent
From: OpenStack Infra, 2016-01-20
[Bug 1534954] Re: policy rule for update_port is inconsistent
From: Kevin Benton, 2016-01-18