yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #86428
[Bug 1933242] [NEW] Unable to show security groups for non-admin users if custom policies using.
Public bug reported:
Neutron's RBAC system supports security group sharing but it's
impossible to use with changed policies. When RBAC for security groups
was added [1] field "shared" was not added to the database. As result,
we cannot use this flag for policy checks and SG sharing will work only
with default [2] policy, and it is impossible to configure the policies
like:
"shared_security_groups": "field:security_groups:shared=True",
"get_security_group": "rule:admin or rule:shared_security_groups",
How to reproduce:
1. change policies and add check for 'shared' field as mentioned above;
2. create new SG with admin permissions;
3. share the SG to another project;
4. try to get this SG by ID with project owner permissions;
Such policies work perfectly for other RBAC objects like networks,
subnet pools etc.
[1] https://review.opendev.org/c/openstack/neutron/+/635311
[2] https://github.com/openstack/neutron/blob/master/neutron/conf/policies/security_group.py#L66
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1933242
Title:
Unable to show security groups for non-admin users if custom policies
using.
Status in neutron:
New
Bug description:
Neutron's RBAC system supports security group sharing but it's
impossible to use with changed policies. When RBAC for security groups
was added [1] field "shared" was not added to the database. As result,
we cannot use this flag for policy checks and SG sharing will work
only with default [2] policy, and it is impossible to configure the
policies like:
"shared_security_groups": "field:security_groups:shared=True",
"get_security_group": "rule:admin or rule:shared_security_groups",
How to reproduce:
1. change policies and add check for 'shared' field as mentioned above;
2. create new SG with admin permissions;
3. share the SG to another project;
4. try to get this SG by ID with project owner permissions;
Such policies work perfectly for other RBAC objects like networks,
subnet pools etc.
[1] https://review.opendev.org/c/openstack/neutron/+/635311
[2] https://github.com/openstack/neutron/blob/master/neutron/conf/policies/security_group.py#L66
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1933242/+subscriptions
Follow ups