yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88121
[Bug 1957175] Re: Regular user can remove qos from a port despite the policy
Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/825088
Committed: https://opendev.org/openstack/neutron-lib/commit/cf54989be21e1229eae6a34af5b84c2bfc5aface
Submitter: "Zuul (22348)"
Branch: master
commit cf54989be21e1229eae6a34af5b84c2bfc5aface
Author: yatinkarel <ykarel@xxxxxxxxxx>
Date: Tue Jan 18 10:45:17 2022 +0000
Enforce policy for qos_policy_id attribute
Currently while updating 'qos_policy_id', authorization policies
are not enforced and as a result it can be set or unset over
port/network/fip by an unauthorized user.
This patch fixes it by setting 'enforce_policy' to True
for this attribute.
Closes-Bug: #1957175
Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1957175
Title:
Regular user can remove qos from a port despite the policy
Status in neutron:
Fix Released
Bug description:
We use neutron stable/stein release with ml2/ovs plugin.
From the admin role, we assign qos policy with bandwidth limit to the ports of virtual machines.
In oslo policies, we forbid users to change this qos.
"update_port:qos_policy_id": "rule:admin_only"
But users, despite the policy can remove the qos from the ports by entering the command
openstack port unset <port_id> --qos-policy
This happens because in qos api definition (neutron_lib) for port does not set "enforce_policy" flag.
https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/definitions/qos.py#L91
Is this done on purpose by neutron api design or is it a bug?
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1957175/+subscriptions
References