← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1957175] [NEW] Regular user can remove qos from a port despite the policy

 

Public bug reported:

We use neutron stable/stein release with ml2/ovs plugin.

>From the admin role, we assign qos policy with bandwidth limit to the ports of virtual machines.
In oslo policies, we forbid users to change this file.
"update_port:qos_policy_id": "rule:admin_only"

But users, despite the policy can remove the qos from the ports by entering the command
openstack port  unset <port_id> --qos-policy

This happens because qos api definition  in neutron_lib for port does not use "enforce_policy" flag.
https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/definitions/qos.py#L91

Is this done on purpose by neutron api design or is it a bug?

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1957175

Title:
  Regular user can remove qos from a port despite the policy

Status in neutron:
  New

Bug description:
  We use neutron stable/stein release with ml2/ovs plugin.

  From the admin role, we assign qos policy with bandwidth limit to the ports of virtual machines.
  In oslo policies, we forbid users to change this file.
  "update_port:qos_policy_id": "rule:admin_only"

  But users, despite the policy can remove the qos from the ports by entering the command
  openstack port  unset <port_id> --qos-policy

  This happens because qos api definition  in neutron_lib for port does not use "enforce_policy" flag.
  https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/definitions/qos.py#L91

  Is this done on purpose by neutron api design or is it a bug?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1957175/+subscriptions



Follow ups