← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #78348

[Bug 1808112] Re: rule:shared is not respected in port/subnet create

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/652636
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=039691220817db3519149b5e2fd2607365f3d8af
Submitter: Zuul
Branch:    master

commit 039691220817db3519149b5e2fd2607365f3d8af
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Mon Apr 15 14:17:27 2019 +0200

    Fix handling of network:shared field in policy module
    
    Some policy rules e.g. for create_port are using rule "network:shared"
    in which "shared" field is related to network resource instead of
    port directly.
    Because of that, "shared" was missing from "target" in policy
    enforce module thus validation wasn't working properly for such rule.
    
    This patch fixes it by adding to FieldCheck checker possibility to
    get network object and use its "shared" field to validate policy.
    
    Change-Id: I56c99883fce40c37a5ee26e6e661c0cc0783c42f
    Closes-Bug: #1808112


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1808112

Title:
  rule:shared is not respected in port/subnet create

Status in neutron:
  Fix Released

Bug description:
  In neutron policy.json there are rules like:

      "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",
      "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner",
      "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared"

  but when I'm trying to create port with given subnet_id (but without
  ip_address) as regular user, I can't do that because policy.json
  forbid me that. I got an error like:

  [09:53:12] vagrant@devstack-ubuntu-ovs ~ $ openstack port create public_port --network public --fixed-ip subnet=1fc0a48d-f182-4bb0-b5d0-2dac8d1c6929
  HttpException: 403: Client Error for url: http://10.0.0.10:9696/v2.0/ports, (rule:create_port and rule:create_port:fixed_ips) is disallowed by policy

  Even if I changed first of those rules to be like:

      "create_port:fixed_ips": "rule:context_is_advsvc or
  rule:admin_or_network_owner or rule:shared",

  it is still failing and I think that it's because rule:shared is
  related to network but during this POST call, target enforced by
  policy is port and port resource don't have shared field at all.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1808112/+subscriptions

References

  Thread PreviousDate PreviousThread Next