yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1534954] Re: policy rule for update_port is inconsistent

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1534954@xxxxxxxxxxxxxxxxxx>
Date: Wed, 20 Jan 2016 07:39:50 -0000
Reply-to: Bug 1534954 <1534954@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: neutron
       Status: Opinion => In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1534954

Title:
  policy rule for update_port is inconsistent

Status in neutron:
  In Progress

Bug description:
  For user from a common tenant, per [1]
  https://github.com/openstack/neutron/blob/master/etc/policy.json#L77 ,
  seems network owner shouldn't have privilege to update port on her/his
  network if she/he is not port owner.

  But per [2]
  https://github.com/openstack/neutron/blob/master/etc/policy.json#L78-L85
  , seems network owner still have chance to update port attributes such
  as device_owner, fixed_ips, port_security_enabled,
  mac_learning_enabled, allowed_address_pairs.

  This is inconsistent, per [1], policy rule
  "rule:admin_or_network_owner" in [2] should be updated.

  For example:
  If a network owner want to change tenant user port fixed_ip, by looking at rule:
    "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc" (one rule in [2])
  she/he may think policy can allow this, for she/he is network owner.
  But after she/he tries that, will get privilege denied as result, for rule:
    "update_port": "rule:admin_or_owner or rule:context_is_advsvc" ([1])
  this is confused.

  ## updated @ 2016-01-19
  What's more. Let's use port attribute fixed_ips to discuss, and with tenant-A give tenant-B privilege to do, like adding rbac rule for tenant-B. And currently tenant-A has network net-A which has rbac action access_as_shared for tenant-B:
  * when tenant-B user try to create a port on net-A without any attributes specified, that's OK, nothing error or exception will raise. But when later when tenant-B user try to update that port fixed_ips, message endswith "disallowed by policy" will raise. Maybe for policy rule:
    "update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc"
   And even network owner, tenant-A also cannot update that port fixed_ips, tenant-A user will get return message "The resource could not be found."
  * when tenant-B user try to create a port with specified fixed_ips, message endswith "disallowed by policy" will return. This is defined by policy rule:
    "create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc"

  So currently, neither port owner/tenant-B nor network owner/tenant-A
  can update the port fixed_ips. (Please ignore admin here, admin can do
  anything she/he want)

  I checked history for policy.json on update_port section, and I found
  https://review.openstack.org/#/c/9845. After glance, seems people put
  more focus on port creating not updating.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1534954/+subscriptions

References

[Bug 1534954] [NEW] policy rule for update_port is inconsistent
From: ZongKai LI, 2016-01-16