yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1933242] Re: Unable to show security groups for non-admin users if custom policies using.

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Brian Haley <1933242@xxxxxxxxxxxxxxxxxx>
Date: Tue, 08 Nov 2022 00:35:50 -0000
Reply-to: Bug 1933242 <1933242@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

As https://review.opendev.org/c/openstack/neutron/+/811242 has merged,
let's close this bug.

** Changed in: neutron
Status: Confirmed => Fix Released

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1933242

Title:
Unable to show security groups for non-admin users if custom policies
using.

Status in neutron:
Fix Released

Bug description:
Neutron's RBAC system supports security group sharing but it's
impossible to use with changed policies. When RBAC for security groups
was added [1] field "shared" was not added to the database. As result,
we cannot use this flag for policy checks and SG sharing will work
only with default [2] policy, and it is impossible to configure the
policies like:

"shared_security_groups": "field:security_groups:shared=True",
"get_security_group": "rule:admin or rule:shared_security_groups",

How to reproduce:
1. change policies and add check for 'shared' field as mentioned above;
2. create new SG with admin permissions;
3. share the SG to another project;
4. try to get this SG by ID with project owner permissions;

Such policies work perfectly for other RBAC objects like networks,
subnet pools etc.

[1] https://review.opendev.org/c/openstack/neutron/+/635311
[2] https://github.com/openstack/neutron/blob/master/neutron/conf/policies/security_group.py#L66

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1933242/+subscriptions

References

[Bug 1933242] [NEW] Unable to show security groups for non-admin users if custom policies using.
From: Vadim Ponomarev, 2021-06-22