yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1934115] [NEW] List security groups by project admin may return 500

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Slawek Kaplonski <1934115@xxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Jun 2021 09:20:27 -0000
Reply-to: Bug 1934115 <1934115@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When new RBAC policies and scopes are enforced in Neutron, there are system and project admins and project admin don't have access to resources from other projects.
Now, when project admin tries to list security groups for other project, empty list should be returned but as Neutron tries to ensure that default security group for that project is created it may happen that request will go to https://github.com/openstack/neutron/blob/25207ed9c0d929aa79270a118983c04f3476afc4/neutron/db/securitygroups_db.py#L144 and as it will return None for project admin, request will fail and error 500 will be returned.

In such case I think that context.elevated() should be used to get SG
from DB. If user don't have permission to see it, it will be filtered
out later by policy.

** Affects: neutron
     Importance: Medium
     Assignee: Slawek Kaplonski (slaweq)
         Status: Confirmed


** Tags: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1934115

Title:
  List security groups by project admin may return 500

Status in neutron:
  Confirmed

Bug description:
  When new RBAC policies and scopes are enforced in Neutron, there are system and project admins and project admin don't have access to resources from other projects.
  Now, when project admin tries to list security groups for other project, empty list should be returned but as Neutron tries to ensure that default security group for that project is created it may happen that request will go to https://github.com/openstack/neutron/blob/25207ed9c0d929aa79270a118983c04f3476afc4/neutron/db/securitygroups_db.py#L144 and as it will return None for project admin, request will fail and error 500 will be returned.

  In such case I think that context.elevated() should be used to get SG
  from DB. If user don't have permission to see it, it will be filtered
  out later by policy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1934115/+subscriptions

Follow ups

[Bug 1934115] Re: List security groups by project admin may return 500
From: OpenStack Infra, 2021-08-04