yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1808112] [NEW] rule:shared is not respected in port/subnet create

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Slawek Kaplonski <1808112@xxxxxxxxxxxxxxxxxx>
Date: Wed, 12 Dec 2018 08:54:47 -0000
Reply-to: Bug 1808112 <1808112@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In neutron policy.json there are rules like:

    "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
    "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"

but when I'm trying to create port with given subnet_id (but without
ip_address) as regular user, I can't do that because policy.json forbid
me that. I got an error like:

[09:53:12] vagrant@devstack-ubuntu-ovs ~ $ openstack port create public_port --network public --fixed-ip subnet=1fc0a48d-f182-4bb0-b5d0-2dac8d1c6929
HttpException: 403: Client Error for url: http://10.0.0.10:9696/v2.0/ports, (rule:create_port and rule:create_port:fixed_ips) is disallowed by policy

Even if I changed first of those rules to be like:

    "create_port:fixed_ips": "rule:context_is_advsvc or
rule:admin_or_network_owner or rule:shared",

it is still failing and I think that it's because rule:shared is related
to network but during this POST call, target enforced by policy is port
and port resource don't have shared field at all.

** Affects: neutron
     Importance: Medium
         Status: New


** Tags: api

** Tags added: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1808112

Title:
  rule:shared is not respected in port/subnet create

Status in neutron:
  New

Bug description:
  In neutron policy.json there are rules like:

      "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
      "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
      "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"

  but when I'm trying to create port with given subnet_id (but without
  ip_address) as regular user, I can't do that because policy.json
  forbid me that. I got an error like:

  [09:53:12] vagrant@devstack-ubuntu-ovs ~ $ openstack port create public_port --network public --fixed-ip subnet=1fc0a48d-f182-4bb0-b5d0-2dac8d1c6929
  HttpException: 403: Client Error for url: http://10.0.0.10:9696/v2.0/ports, (rule:create_port and rule:create_port:fixed_ips) is disallowed by policy

  Even if I changed first of those rules to be like:

      "create_port:fixed_ips": "rule:context_is_advsvc or
  rule:admin_or_network_owner or rule:shared",

  it is still failing and I think that it's because rule:shared is
  related to network but during this POST call, target enforced by
  policy is port and port resource don't have shared field at all.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1808112/+subscriptions

Follow ups

[Bug 1808112] Re: rule:shared is not respected in port/subnet create
From: OpenStack Infra, 2019-05-09