yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1853637] [NEW] Assign floating IP to port owned by another tenant is not override-able with RBAC policy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Michael Johnson <johnsomor@xxxxxxxxx>
Date: Fri, 22 Nov 2019 17:41:37 -0000
Reply-to: Bug 1853637 <1853637@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In neutron/db/l3_db.py:

    def _internal_fip_assoc_data(self, context, fip, tenant_id):
        """Retrieve internal port data for floating IP.
        Retrieve information concerning the internal port where
        the floating IP should be associated to.
        """
        internal_port = self._core_plugin.get_port(context, fip['port_id'])
        if internal_port['tenant_id'] != tenant_id and not context.is_admin:
            port_id = fip['port_id']
            msg = (_('Cannot process floating IP association with '
                     'Port %s, since that port is owned by a '
                     'different tenant') % port_id)
            raise n_exc.BadRequest(resource='floatingip', msg=msg)

This code does not allow operators to override the ability to assign
floating IPs to ports on another tenant using RBAC policy. It also does
not allow members of the advsvc role to take this action.

This code should be fixed to use the standard neutron RBAC and allow the
advsvc role to take this action.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1853637

Title:
  Assign floating IP to port owned by another tenant is not override-
  able with RBAC policy

Status in neutron:
  New

Bug description:
  In neutron/db/l3_db.py:

      def _internal_fip_assoc_data(self, context, fip, tenant_id):
          """Retrieve internal port data for floating IP.
          Retrieve information concerning the internal port where
          the floating IP should be associated to.
          """
          internal_port = self._core_plugin.get_port(context, fip['port_id'])
          if internal_port['tenant_id'] != tenant_id and not context.is_admin:
              port_id = fip['port_id']
              msg = (_('Cannot process floating IP association with '
                       'Port %s, since that port is owned by a '
                       'different tenant') % port_id)
              raise n_exc.BadRequest(resource='floatingip', msg=msg)

  This code does not allow operators to override the ability to assign
  floating IPs to ports on another tenant using RBAC policy. It also
  does not allow members of the advsvc role to take this action.

  This code should be fixed to use the standard neutron RBAC and allow
  the advsvc role to take this action.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1853637/+subscriptions