← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1959332] [NEW] With new secure RBAC external gateway ports can't be visible in the API

 

Public bug reported:

After patch https://review.opendev.org/c/openstack/neutron/+/821208 was merged, when scope enforcement and new default policies are used, project admin user can have access and do almost everything related to the project's resources.
System admin can only access/modify system wide resources, like e.g. agents.
So basically there is no any "super user" who can access everything (which is good as this is one of the goals of the whole community goal IIRC).
The problem is with external gateway ports which are intentionally not assigned to any project thus aren't visible in the API even for PROJECT_ADMIN user.

I see 3 possible solutions for that:

1. We will somehow try to hardcode rule that for external_gateway ports device_id owner will be checked (like it's e.g. with parent_id for some resources) - I don't know how easy/hard it may be to do really but I think it's worth to explore, 
2. We will change external gateway ports and they will have owner, which will be the same as owner of the router or
3. We will hard code something that for project admin users such external gateway ports will be displayed - but that means that each project admin will see external gateway ports used by all projects as all those ports don't belong to any project.

** Affects: neutron
     Importance: Medium
     Assignee: Slawek Kaplonski (slaweq)
         Status: Confirmed


** Tags: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1959332

Title:
  With new secure RBAC external gateway ports can't be visible in the
  API

Status in neutron:
  Confirmed

Bug description:
  After patch https://review.opendev.org/c/openstack/neutron/+/821208 was merged, when scope enforcement and new default policies are used, project admin user can have access and do almost everything related to the project's resources.
  System admin can only access/modify system wide resources, like e.g. agents.
  So basically there is no any "super user" who can access everything (which is good as this is one of the goals of the whole community goal IIRC).
  The problem is with external gateway ports which are intentionally not assigned to any project thus aren't visible in the API even for PROJECT_ADMIN user.

  I see 3 possible solutions for that:

  1. We will somehow try to hardcode rule that for external_gateway ports device_id owner will be checked (like it's e.g. with parent_id for some resources) - I don't know how easy/hard it may be to do really but I think it's worth to explore, 
  2. We will change external gateway ports and they will have owner, which will be the same as owner of the router or
  3. We will hard code something that for project admin users such external gateway ports will be displayed - but that means that each project admin will see external gateway ports used by all projects as all those ports don't belong to any project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1959332/+subscriptions