yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1996836] Re: With new RBAC enabled (enforce_scope and enforce_new_defaults): 'router:external' field is missing in network list response

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1996836@xxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Nov 2022 22:53:54 -0000
Reply-to: Bug 1996836 <1996836@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/865032
Committed: https://opendev.org/openstack/neutron/commit/0ef4f988254457ae460f192a334ccd6776688afb
Submitter: "Zuul (22348)"
Branch:    master

commit 0ef4f988254457ae460f192a334ccd6776688afb
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Fri Nov 18 16:04:01 2022 +0100

    Remove policy rule for get_network:router:external
    
    In legacy RBAC rules get of the network's router:external attribute was
    available for everyone (rule:regular_user). In new S-RBAC rules it was
    done to be available for admin users and for PROJECT_READER. This didn't
    really had the same result as router:external attribute wasn't visible
    for networks which belongs to other project.
    
    Networks which are set to be external are automatically shared with all
    other projects and each user from such project should be able to check
    every of visible networks if it is external or not.
    In overall, extra policy rule for "get_network:router:external" isn't
    really necessary and this patch removes it.
    
    Closes-Bug: #1996836
    Change-Id: I5fe4a0134c6ecf5cf28e2f5d59411134546c98b0


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1996836

Title:
  With new RBAC enabled (enforce_scope and enforce_new_defaults):
  'router:external' field is missing in network list response

Status in neutron:
  Fix Released

Bug description:
  I was testing the tempest with the new RBAC enabled which means in
  neutron.conf enable the below options:

  [oslo_policy]
  enforce_scope = True
  enforce_new_defaults = True

  https://zuul.opendev.org/t/openstack/build/e447385546c749f8b38bc4c411088dc1/log/controller/logs/etc/neutron/neutron_conf.txt#1928

  Tempest external network tests doing the list network but
  'router:external' field is missing in network list response

  -
  https://zuul.opendev.org/t/openstack/build/e447385546c749f8b38bc4c411088dc1/log/job-
  output.txt#23754

  policy defaults for 'router:external' seems fine
  - https://github.com/openstack/neutron/blob/bf44e70db6219e7f3a45bd61b7dd14a31ae33bb0/neutron/conf/policies/network.py#L193

  But it seems enforce_scope is restricting it somewhere, is this check in context causing not to return it?
  - https://github.com/openstack/neutron-lib/blob/9ecd5995b6c598cee931087bf13fdd166f404034/neutron_lib/context.py#L125

  We should not add system:all in neutron as system scope is not
  supported in neutron policy now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1996836/+subscriptions

References

[Bug 1996836] [NEW] With new RBAC enabled (enforce_scope and enforce_new_defaults): 'router:external' field is missing in network list response
From: Ghanshyam Mann, 2022-11-17