yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1934115] Re: List security groups by project admin may return 500

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1934115@xxxxxxxxxxxxxxxxxx>
Date: Wed, 04 Aug 2021 10:42:01 -0000
Reply-to: Bug 1934115 <1934115@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/798821
Committed: https://opendev.org/openstack/neutron/commit/f6c3747caeac08df9d865312686be8eccb7f0472
Submitter: "Zuul (22348)"
Branch:    master

commit f6c3747caeac08df9d865312686be8eccb7f0472
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Wed Jun 30 11:28:36 2021 +0200

    Use elevated context to get default SG from database
    
    With new system/project scopes it may happen that project admin
    will try to list security groups for different project and during
    that call Neutron will ensure that default security group is created.
    
    In such case elevated context needs to be used to get SG object from
    the database otherwise, SG will not be found and error 500 will be
    returned through the API.
    
    Use of elevated context is fine here as if user don't have access to
    the SG, it will be filtered out by policy mechanism and it will not
    be returned through API.
    
    Closes-Bug: #1934115
    Change-Id: I0ca07d1a1aaf05c1992aea9e29575580d7933324


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1934115

Title:
  List security groups by project admin may return 500

Status in neutron:
  Fix Released

Bug description:
  When new RBAC policies and scopes are enforced in Neutron, there are system and project admins and project admin don't have access to resources from other projects.
  Now, when project admin tries to list security groups for other project, empty list should be returned but as Neutron tries to ensure that default security group for that project is created it may happen that request will go to https://github.com/openstack/neutron/blob/25207ed9c0d929aa79270a118983c04f3476afc4/neutron/db/securitygroups_db.py#L144 and as it will return None for project admin, request will fail and error 500 will be returned.

  In such case I think that context.elevated() should be used to get SG
  from DB. If user don't have permission to see it, it will be filtered
  out later by policy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1934115/+subscriptions

References

[Bug 1934115] [NEW] List security groups by project admin may return 500
From: Slawek Kaplonski, 2021-06-30