← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #89682

[Bug 1989627] [NEW] Policy enforcement variance between openstackcli and Horizon

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Summary
Neutron enforces Policy different between Horizon and the openstackcli

High Level Description
If a user without admin permission tried to modify security groups on a port via Horizon, they are denied via policy enforcement in line with the defaults from oslopolicy. But the same user is able to modify the port security groups via the CLI.

Reproduce:
1. Create a new non-admin user:
❯ openstack user create --project bne-home --password-prompt test
❯ openstack role add --project bne-home --user test member

2. Add user to clouds.yaml
  bne-home-test:
    auth:
      auth_url: https://openstack.bne-home.net:13000
      password: "test"
      project_domain_name: Default
      project_name: bne-home
      user_domain_name: Default
      username: test
    cacert: ~/.certs/overcloud-cacert.pem
    identity_api_version: '3'
    region_name: regionOne
    volume_api_version: '3'

3. Try to add/remove security group from port using the openstackcli:
❯ openstack server show test-lb-net -c security_groups -c addresses -f yaml
addresses:
  lb-mgmt-net:
  - 172.24.0.90
  vlan4-infra:
  - 172.20.13.175
security_groups:
- name: management-bne

❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml
fixed_ips:
- ip_address: 172.20.13.175
  subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713
port_security_enabled: true
security_group_ids:
- a3ae6e20-67df-4a72-9d5b-cc21ad87464f

❯ openstack port unset --security-group a3ae6e20-67df-4a72-9d5b-cc21ad87464f 4df563ce-5464-4f7d-8aaf-c5496cdaefda
❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml
fixed_ips:
- ip_address: 172.20.13.175
  subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713
port_security_enabled: true
security_group_ids: []


Verify that I’m definitely not a admin user:
❯ openstack server list --all
Policy doesn't allow os_compute_api:servers:detail:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-75c19210-ad91-471f-b500-e1f3482825f8)

We can see this works. Let's try the same from Horizon. We need to
login, select Instances > Interfaces > "Edit Security Groups"

This will deny the request. The error from Horizon is:
2022-09-14 22:23:13,612 65 INFO openstack_dashboard.dashboards.project.networks.ports.workflows Failed to update port 4df563ce-5464-4f7d-8aaf-c5496cdaefda: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy

Which seems consistent with:
[root@overcloud-controller-0 horizon]# podman exec -it neutron_api oslopolicy-policy-generator --namespace neutron | grep "update_port:port_security_enabled"
"update_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or rule:admin_only"


>From the Neutron logs for both requests we can see:

https://paste.opendev.org/show/bn6zKrSXW5321hpJChvd/


Environment:
TripleO (current-tripleo)

Version:
# podman exec -it neutron_api rpm -q openstack-neutron
openstack-neutron-20.1.0-0.20220907082912.b4beddd.el9.noarch

[root@overcloud-controller-0 ~]# podman inspect neutron_api | jq '.[] | "image=\(.Image), image_url=\(.ImageName)"'
"image=7cf0c193041e437c39fe231c5eb39dc7f3f34229187de8e3d675cda28bdf1525, image_url=quay.io/tripleomastercentos9/openstack-neutron-server:current-tripleo"


Note that this is also an issue for RHOSP16.x:
https://lists.openstack.org/pipermail/openstack-discuss/2022-September/030468.html

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1989627

Title:
  Policy enforcement variance between openstackcli and Horizon

Status in neutron:
  New

Bug description:
  Summary
  Neutron enforces Policy different between Horizon and the openstackcli

  High Level Description
  If a user without admin permission tried to modify security groups on a port via Horizon, they are denied via policy enforcement in line with the defaults from oslopolicy. But the same user is able to modify the port security groups via the CLI.

  Reproduce:
  1. Create a new non-admin user:
  ❯ openstack user create --project bne-home --password-prompt test
  ❯ openstack role add --project bne-home --user test member

  2. Add user to clouds.yaml
    bne-home-test:
      auth:
        auth_url: https://openstack.bne-home.net:13000
        password: "test"
        project_domain_name: Default
        project_name: bne-home
        user_domain_name: Default
        username: test
      cacert: ~/.certs/overcloud-cacert.pem
      identity_api_version: '3'
      region_name: regionOne
      volume_api_version: '3'

  3. Try to add/remove security group from port using the openstackcli:
  ❯ openstack server show test-lb-net -c security_groups -c addresses -f yaml
  addresses:
    lb-mgmt-net:
    - 172.24.0.90
    vlan4-infra:
    - 172.20.13.175
  security_groups:
  - name: management-bne

  ❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml
  fixed_ips:
  - ip_address: 172.20.13.175
    subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713
  port_security_enabled: true
  security_group_ids:
  - a3ae6e20-67df-4a72-9d5b-cc21ad87464f

  ❯ openstack port unset --security-group a3ae6e20-67df-4a72-9d5b-cc21ad87464f 4df563ce-5464-4f7d-8aaf-c5496cdaefda
  ❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml
  fixed_ips:
  - ip_address: 172.20.13.175
    subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713
  port_security_enabled: true
  security_group_ids: []

  
  Verify that I’m definitely not a admin user:
  ❯ openstack server list --all
  Policy doesn't allow os_compute_api:servers:detail:get_all_tenants to be performed. (HTTP 403) (Request-ID: req-75c19210-ad91-471f-b500-e1f3482825f8)

  We can see this works. Let's try the same from Horizon. We need to
  login, select Instances > Interfaces > "Edit Security Groups"

  This will deny the request. The error from Horizon is:
  2022-09-14 22:23:13,612 65 INFO openstack_dashboard.dashboards.project.networks.ports.workflows Failed to update port 4df563ce-5464-4f7d-8aaf-c5496cdaefda: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy

  Which seems consistent with:
  [root@overcloud-controller-0 horizon]# podman exec -it neutron_api oslopolicy-policy-generator --namespace neutron | grep "update_port:port_security_enabled"
  "update_port:port_security_enabled": "rule:context_is_advsvc or rule:network_owner or rule:admin_only"

  
  From the Neutron logs for both requests we can see:

  https://paste.opendev.org/show/bn6zKrSXW5321hpJChvd/


  Environment:
  TripleO (current-tripleo)

  Version:
  # podman exec -it neutron_api rpm -q openstack-neutron
  openstack-neutron-20.1.0-0.20220907082912.b4beddd.el9.noarch

  [root@overcloud-controller-0 ~]# podman inspect neutron_api | jq '.[] | "image=\(.Image), image_url=\(.ImageName)"'
  "image=7cf0c193041e437c39fe231c5eb39dc7f3f34229187de8e3d675cda28bdf1525, image_url=quay.io/tripleomastercentos9/openstack-neutron-server:current-tripleo"

  
  Note that this is also an issue for RHOSP16.x:
  https://lists.openstack.org/pipermail/openstack-discuss/2022-September/030468.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1989627/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next