yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88053
[Bug 1957175] [NEW] Regular user can remove qos from a port despite the policy
Public bug reported:
We use neutron stable/stein release with ml2/ovs plugin.
>From the admin role, we assign qos policy with bandwidth limit to the ports of virtual machines.
In oslo policies, we forbid users to change this file.
"update_port:qos_policy_id": "rule:admin_only"
But users, despite the policy can remove the qos from the ports by entering the command
openstack port unset <port_id> --qos-policy
This happens because qos api definition in neutron_lib for port does not use "enforce_policy" flag.
https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/definitions/qos.py#L91
Is this done on purpose by neutron api design or is it a bug?
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1957175
Title:
Regular user can remove qos from a port despite the policy
Status in neutron:
New
Bug description:
We use neutron stable/stein release with ml2/ovs plugin.
From the admin role, we assign qos policy with bandwidth limit to the ports of virtual machines.
In oslo policies, we forbid users to change this file.
"update_port:qos_policy_id": "rule:admin_only"
But users, despite the policy can remove the qos from the ports by entering the command
openstack port unset <port_id> --qos-policy
This happens because qos api definition in neutron_lib for port does not use "enforce_policy" flag.
https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/definitions/qos.py#L91
Is this done on purpose by neutron api design or is it a bug?
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1957175/+subscriptions
Follow ups
