yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1941537] [NEW] Neutron Policy Engine issues with PUT/Update

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Andrew Karpow <1941537@xxxxxxxxxxxxxxxxxx>
Date: Wed, 25 Aug 2021 13:32:17 -0000
Reply-to: Bug 1941537 <1941537@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

We are using a policy that looks like that:

    "network_device": "field:port:device_owner=~^network:",
    "update_port:fixed_ips": "not rule:network_device",

Idea is to protect special ports (by device_owner) from being updated
but still allow users to create custom ports.

Causes following error in the policy engine if a client tries to update
fixed-ips of a port:

DEBUG neutron.policy [] Unable to find requested field: device_owner in target: {
'id': 'abc', 
'network_id': 'abc', 
'tenant_id': 'abc', 
'status': 'ACTIVE', 
'project_id': 'abc', 
'fixed_ips': [{'subnet_id': 'abc', 'ip_address': '10.180.128.89'}], 
'attributes_to_update': ['fixed_ips']
} neutron/policy.py:395


When using PUT/Update, the policy engine is populated with data from the database, but only if the conditions in the policy_enforcement.py:54 met, like "required_by_policy", "primary_key". The definition of the port attribute "device_owner" doesn't have any of the conidition and is therefor filtered out from the target dict.

But this is not the case for all other operations like GET, DELETE and
CREATE. This seems to me like unintended behaviour, shouldn't all
attributes that annoted by "enforce_policy" be pulled into the target
dict?

>From doc/source/contributor/internals/policy.rst
* If an attribute of a resource might be subject to authorization checks
  then the ``enforce_policy`` attribute should be set to ``True``...

** Affects: neutron
     Importance: Undecided
         Status: New


** Tags: policy

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1941537

Title:
  Neutron Policy Engine issues with PUT/Update

Status in neutron:
  New

Bug description:
  We are using a policy that looks like that:

      "network_device": "field:port:device_owner=~^network:",
      "update_port:fixed_ips": "not rule:network_device",

  Idea is to protect special ports (by device_owner) from being updated
  but still allow users to create custom ports.

  Causes following error in the policy engine if a client tries to
  update fixed-ips of a port:

  DEBUG neutron.policy [] Unable to find requested field: device_owner in target: {
  'id': 'abc', 
  'network_id': 'abc', 
  'tenant_id': 'abc', 
  'status': 'ACTIVE', 
  'project_id': 'abc', 
  'fixed_ips': [{'subnet_id': 'abc', 'ip_address': '10.180.128.89'}], 
  'attributes_to_update': ['fixed_ips']
  } neutron/policy.py:395

  
  When using PUT/Update, the policy engine is populated with data from the database, but only if the conditions in the policy_enforcement.py:54 met, like "required_by_policy", "primary_key". The definition of the port attribute "device_owner" doesn't have any of the conidition and is therefor filtered out from the target dict.

  But this is not the case for all other operations like GET, DELETE and
  CREATE. This seems to me like unintended behaviour, shouldn't all
  attributes that annoted by "enforce_policy" be pulled into the target
  dict?

  From doc/source/contributor/internals/policy.rst
  * If an attribute of a resource might be subject to authorization checks
    then the ``enforce_policy`` attribute should be set to ``True``...

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1941537/+subscriptions