yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1918506] Re: Neutron doesn't honor system-scope

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Slawek Kaplonski <1918506@xxxxxxxxxxxxxxxxxx>
Date: Mon, 22 Mar 2021 14:06:24 -0000
Reply-to: Bug 1918506 <1918506@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1918506

Title:
  Neutron doesn't honor system-scope

Status in neutron:
  Fix Released

Bug description:
  Neutron recently made a bunch of great progress evolving policy check
  strings to include default role support (admin, member, and reader)
  and system-scope [0]. Please reference keystone's default role and
  persona documentation for a primer on authorization patterns we're
  trying to apply to neutron [1]

  Despite these improved policies, neutron needs some additional work to
  understand system scope.

  I was able to use a system-reader persona (someone with the `reader`
  role assigned on the system) to list networks in neutron. But, the
  response didn't contain all networks. It only included public and
  shared networks.

  ╭─ubuntu@neutron-devstack ~
  ╰─➤  $ openstack --os-cloud system-reader network list
  +--------------------------------------+--------+----------------------------------------------------------------------------+
  | ID                                   | Name   | Subnets                                                                    |
  +--------------------------------------+--------+----------------------------------------------------------------------------+
  | 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7                                       |
  | 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
  +--------------------------------------+--------+----------------------------------------------------------------------------+
  ╭─ubuntu@neutron-devstack ~
  ╰─➤  $ openstack --os-cloud devstack-system-admin network list
  +--------------------------------------+---------+----------------------------------------------------------------------------+
  | ID                                   | Name    | Subnets                                                                    |
  +--------------------------------------+---------+----------------------------------------------------------------------------+
  | 293518cb-b280-4332-a1f0-e038c410f16a | shared  | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7                                       |
  | 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public  | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
  | 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
  +--------------------------------------+---------+----------------------------------------------------------------------------+
  ╭─ubuntu@neutron-devstack ~
  ╰─➤  $ openstack --os-cloud devstack-admin network list
  +--------------------------------------+---------+----------------------------------------------------------------------------+
  | ID                                   | Name    | Subnets                                                                    |
  +--------------------------------------+---------+----------------------------------------------------------------------------+
  | 293518cb-b280-4332-a1f0-e038c410f16a | shared  | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7                                       |
  | 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public  | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
  | 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
  +--------------------------------------+---------+----------------------------------------------------------------------------+

  I have the following options set in my neutron.conf:

  [oslo_policy]
  enforce_new_defaults = True
  enforce_scope = True
  policy_file = /etc/neutron/policy.json

  Which should configure neutron to enforce scopes and new default
  policies allowing things like:

  - system-admins to view all resources
  - system-admins to create system-specific resources (public networks)
  - system-readers to view all resources across projects and system-specific resources
  - project-admins to view only networks available to their project

  I started tracing through the neutron code and noticed it's building
  database queries using the request context object [2], which might
  leading to why system-readers can't view all networks in a deployment.

  This bug is likely something that affects more that just network
  resources, but I haven't done an exhaustive investigation, yet.

  Hoping to get some feedback from folks more familiar with Neutron so
  that we can plan a path forward for properly consuming system-scope.

  [0] https://review.opendev.org/q/project:openstack/neutron+status:merged+topic:secure-rbac
  [1] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
  [2] https://opendev.org/openstack/neutron-lib/src/commit/02e070fe099651ad5abea87819c7d3e729885130/neutron_lib/db/utils.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1918506/+subscriptions
References

[Bug 1918506] [NEW] Neutron doesn't honor system-scope
From: Lance Bragstad, 2021-03-10