yahoo-eng-team team mailing list archive

[OpenStack Infra <1498790@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.openstack.org/255285
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=67abf5f9f0e957150dd3b3b673094845810f9ea1
Submitter: Jenkins
Branch:    master

commit 67abf5f9f0e957150dd3b3b673094845810f9ea1
Author: lzklibj <lzklibj@xxxxxxxxxx>
Date:   Wed Dec 9 21:52:05 2015 +0800

    RBAC: Fix port query and deletion for network owner
    
    Network owner should be able to get all ports and delete ports on
    network as policy allowed. But current code fails to support this.
    
    Current model query for Port is still based on tenant_id, it forgets
    to check for network owner when context tenant_id is not port owner.
    
    For port_delete action, policy will generate checking rules for port
    attributes, such as:
        rule:delete_port:binding:vif_details
        rule:delete_port:binding:vif_type
    This doesn't make sense, only single policy rule "rule:delete_port"
    is enough to check.
    
    This patch fixes this issue.
    
    Co-Authored-By: Kevin Benton <kevinbenton@xxxxxxxxxxxxx>
    Change-Id: I55328cb43207654b9bb4cfb732923982d020ab0a
    Closes-Bug: #1498790


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1498790

Title:
  rbac: can't delete other tenant's port on own network if not admin

Status in neutron:
  Fix Released

Bug description:
  It's not possible to delete a port that belongs to another tenant if
  the caller isn't an admin even if he/she owns the network.

  This is supposed to be possible according to the spec. See the last
  sentence here in this section: http://specs.openstack.org/openstack
  /neutron-specs/specs/liberty/rbac-networks.html#proposed-change

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1498790/+subscriptions