yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1996836] [NEW] With new RBAC enabled (enforce_scope and enforce_new_defaults): 'router:external' field is missing in network list response

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Ghanshyam Mann <1996836@xxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Nov 2022 02:45:44 -0000
Reply-to: Bug 1996836 <1996836@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

I was testing the tempest with the new RBAC enabled which means in
neutron.conf enable the below options:

[oslo_policy]
enforce_scope = True
enforce_new_defaults = True

https://zuul.opendev.org/t/openstack/build/e447385546c749f8b38bc4c411088dc1/log/controller/logs/etc/neutron/neutron_conf.txt#1928

Tempest external network tests doing the list network but
'router:external' field is missing in network list response

-
https://zuul.opendev.org/t/openstack/build/e447385546c749f8b38bc4c411088dc1/log/job-
output.txt#23754

policy defaults for 'router:external' seems fine
- https://github.com/openstack/neutron/blob/bf44e70db6219e7f3a45bd61b7dd14a31ae33bb0/neutron/conf/policies/network.py#L193

But it seems enforce_scope is restricting it somewhere, is this check in context causing not to return it?
- https://github.com/openstack/neutron-lib/blob/9ecd5995b6c598cee931087bf13fdd166f404034/neutron_lib/context.py#L125

We should not add system:all in neutron as system scope is not supported
in neutron policy now.

** Affects: neutron
     Importance: Undecided
         Status: In Progress

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1996836

Title:
  With new RBAC enabled (enforce_scope and enforce_new_defaults):
  'router:external' field is missing in network list response

Status in neutron:
  In Progress

Bug description:
  I was testing the tempest with the new RBAC enabled which means in
  neutron.conf enable the below options:

  [oslo_policy]
  enforce_scope = True
  enforce_new_defaults = True

  https://zuul.opendev.org/t/openstack/build/e447385546c749f8b38bc4c411088dc1/log/controller/logs/etc/neutron/neutron_conf.txt#1928

  Tempest external network tests doing the list network but
  'router:external' field is missing in network list response

  -
  https://zuul.opendev.org/t/openstack/build/e447385546c749f8b38bc4c411088dc1/log/job-
  output.txt#23754

  policy defaults for 'router:external' seems fine
  - https://github.com/openstack/neutron/blob/bf44e70db6219e7f3a45bd61b7dd14a31ae33bb0/neutron/conf/policies/network.py#L193

  But it seems enforce_scope is restricting it somewhere, is this check in context causing not to return it?
  - https://github.com/openstack/neutron-lib/blob/9ecd5995b6c598cee931087bf13fdd166f404034/neutron_lib/context.py#L125

  We should not add system:all in neutron as system scope is not
  supported in neutron policy now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1996836/+subscriptions

Follow ups

[Bug 1996836] Re: With new RBAC enabled (enforce_scope and enforce_new_defaults): 'router:external' field is missing in network list response
From: OpenStack Infra, 2022-11-18