yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #88656
[Bug 1965294] Re: [Secure RBAC] Create network error due to role without permissions isn't clear
Reviewed: https://review.opendev.org/c/openstack/neutron/+/834171
Committed: https://opendev.org/openstack/neutron/commit/60bc6c7a992383cecaf7dcf425668a6ea92b151b
Submitter: "Zuul (22348)"
Branch: master
commit 60bc6c7a992383cecaf7dcf425668a6ea92b151b
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date: Thu Mar 17 14:33:41 2022 +0100
[API] Return 403 for POST requests when user is not authorized
In the policy_enforcement module if policy.enforce() will raise
PolicyNotAuthorized exception, there is additional check if user is
trying to modify own or someone else resource. In case when user is not
allowed to show resource even, error 404 is raised to "hide" any
information about requested resource.
But that was also the case for POST (create resource) requests and 404
error when user is trying e.g. create network is confusing.
So this patch modifies that logic and in case of "create_" actions it
will return 403 if user was not authorized to do such operation.
Closes-Bug: #1965294
Change-Id: I80b0616c335134a564361137b2a00ff86dcbdf1c
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1965294
Title:
[Secure RBAC] Create network error due to role without permissions
isn't clear
Status in neutron:
Fix Released
Bug description:
Bug originally reported by Candido Campos in
https://bugzilla.redhat.com/show_bug.cgi?id=2063867
Description of problem:
Captured traceback:
~~~~~~~~~~~~~~~~~~~
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/tempest/common/utils/__init__.py", line 89, in wrapper
return func(*func_args, **func_kwargs)
File "/usr/lib/python3.6/site-packages/neutron_tempest_plugin/scenario/test_internal_dns.py", line 38, in test_dns_domain_and_name
network = self.create_network(dns_domain='starwars.')
File "/usr/lib/python3.6/site-packages/neutron_tempest_plugin/api/base.py", line 379, in create_network
network = client.create_network(name=name, **kwargs)['network']
File "/usr/lib/python3.6/site-packages/neutron_tempest_plugin/services/network/json/network_client.py", line 146, in _create
resp, body = self.post(uri, post_data)
File "/usr/lib/python3.6/site-packages/tempest/lib/common/rest_client.py", line 299, in post
return self.request('POST', url, extra_headers, headers, body, chunked)
File "/usr/lib/python3.6/site-packages/tempest/lib/common/rest_client.py", line 703, in request
self._error_checker(resp, resp_body)
File "/usr/lib/python3.6/site-packages/tempest/lib/common/rest_client.py", line 809, in _error_checker
raise exceptions.NotFound(resp_body, resp=resp)
tempest.lib.exceptions.NotFound: Object not found
Details: {'type': 'HTTPNotFound', 'message': 'The resource could not be found.', 'detail': ''}
Version-Release number of selected component (if applicable):
How reproducible:
90 openstack project create --domain default --description "Demo Project" myproject
91 openstack user create --domain default --password-prompt myuser
92 openstack role create myrole
93 openstack role add --project myproject --user myuser myrole
openstack network create test
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1965294/+subscriptions
References