yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #85403
[Bug 1918506] [NEW] Neutron doesn't honor system-scope
Public bug reported:
Neutron recently made a bunch of great progress evolving policy check
strings to include default role support (admin, member, and reader) and
system-scope [0]. Please reference keystone's default role and persona
documentation for a primer on authroization patterns we're trying to
apply to neutron [1]
Despite these improved policies, neutron needs some additional work to
understand system scope.
I was able to use a system-reader persona (someone with the `reader`
role assigned on the system) to list networks in neutron. But, the
response didn't contain all networks. It only included public and shared
networks.
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud system-reader network list
+--------------------------------------+--------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+--------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
+--------------------------------------+--------+----------------------------------------------------------------------------+
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud devstack-system-admin network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
| 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
+--------------------------------------+---------+----------------------------------------------------------------------------+
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud devstack-admin network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
| 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
+--------------------------------------+---------+----------------------------------------------------------------------------+
I have the following options set in my neutron.conf:
[oslo_policy]
enforce_new_defaults = True
enforce_scope = True
policy_file = /etc/neutron/policy.json
Which should configure neutron to enforce scopes and new default
policies allowing things like:
- system-admins to view all resources
- system-admins to create system-specific resources (public networks)
- system-readers to view all resources across projects and system-specific resources
- project-admins to view only networks available to their project
I started tracing through the neutron code and noticed it's building database queries using the request context object [2], which might leading to why system-readers can't view all networks in a deployment.
This bug is likely something that affects more that just network
resources, but I haven't done an exhaustive investigation, yet.
Hoping to get some feedback from folks more familiar with Neutron so
that we can plan a path forward for properly consuming system-scope.
[0] https://review.opendev.org/q/project:openstack/neutron+status:merged+topic:secure-rbac
[1] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
[2] https://opendev.org/openstack/neutron-lib/src/commit/02e070fe099651ad5abea87819c7d3e729885130/neutron_lib/db/utils.py
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1918506
Title:
Neutron doesn't honor system-scope
Status in neutron:
New
Bug description:
Neutron recently made a bunch of great progress evolving policy check
strings to include default role support (admin, member, and reader)
and system-scope [0]. Please reference keystone's default role and
persona documentation for a primer on authroization patterns we're
trying to apply to neutron [1]
Despite these improved policies, neutron needs some additional work to
understand system scope.
I was able to use a system-reader persona (someone with the `reader`
role assigned on the system) to list networks in neutron. But, the
response didn't contain all networks. It only included public and
shared networks.
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud system-reader network list
+--------------------------------------+--------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+--------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
+--------------------------------------+--------+----------------------------------------------------------------------------+
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud devstack-system-admin network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
| 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
+--------------------------------------+---------+----------------------------------------------------------------------------+
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud devstack-admin network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
| 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
+--------------------------------------+---------+----------------------------------------------------------------------------+
I have the following options set in my neutron.conf:
[oslo_policy]
enforce_new_defaults = True
enforce_scope = True
policy_file = /etc/neutron/policy.json
Which should configure neutron to enforce scopes and new default
policies allowing things like:
- system-admins to view all resources
- system-admins to create system-specific resources (public networks)
- system-readers to view all resources across projects and system-specific resources
- project-admins to view only networks available to their project
I started tracing through the neutron code and noticed it's building database queries using the request context object [2], which might leading to why system-readers can't view all networks in a deployment.
This bug is likely something that affects more that just network
resources, but I haven't done an exhaustive investigation, yet.
Hoping to get some feedback from folks more familiar with Neutron so
that we can plan a path forward for properly consuming system-scope.
[0] https://review.opendev.org/q/project:openstack/neutron+status:merged+topic:secure-rbac
[1] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
[2] https://opendev.org/openstack/neutron-lib/src/commit/02e070fe099651ad5abea87819c7d3e729885130/neutron_lib/db/utils.py
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1918506/+subscriptions
Follow ups
