yahoo-eng-team team mailing list archive

[OpenStack Infra <1957175@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/c/openstack/neutron-lib/+/825088
Committed: https://opendev.org/openstack/neutron-lib/commit/cf54989be21e1229eae6a34af5b84c2bfc5aface
Submitter: "Zuul (22348)"
Branch:    master

commit cf54989be21e1229eae6a34af5b84c2bfc5aface
Author: yatinkarel <ykarel@xxxxxxxxxx>
Date:   Tue Jan 18 10:45:17 2022 +0000

    Enforce policy for qos_policy_id attribute
    
    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.
    
    This patch fixes it by setting 'enforce_policy' to True
    for this attribute.
    
    Closes-Bug: #1957175
    Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1957175

Title:
  Regular user can remove qos from a port despite the policy

Status in neutron:
  Fix Released

Bug description:
  We use neutron stable/stein release with ml2/ovs plugin.

  From the admin role, we assign qos policy with bandwidth limit to the ports of virtual machines.
  In oslo policies, we forbid users to change this qos.
  "update_port:qos_policy_id": "rule:admin_only"

  But users, despite the policy can remove the qos from the ports by entering the command
  openstack port  unset <port_id> --qos-policy

  This happens because in qos api definition (neutron_lib) for port does not set "enforce_policy" flag.
  https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/definitions/qos.py#L91

  Is this done on purpose by neutron api design or is it a bug?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1957175/+subscriptions