yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1997089] Re: With new RBAC enabled (enforce_scope and enforce_new_defaults): some security groups aren't visible for admin user

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1997089@xxxxxxxxxxxxxxxxxx>
Date: Thu, 24 Nov 2022 20:06:01 -0000
Reply-to: Bug 1997089 <1997089@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/865040
Committed: https://opendev.org/openstack/neutron/commit/6d8ada0ac93beed05b45adb9582c3ef23bef49d2
Submitter: "Zuul (22348)"
Branch:    master

commit 6d8ada0ac93beed05b45adb9582c3ef23bef49d2
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Mon Nov 21 15:32:21 2022 +0100

    [S-RBAC] Allow admin user to do all API requests by default
    
    By default ADMIN user in the new Secure RBAC policies should behave in
    the same way as in the legacy rules so basically every API operation for
    any project should be allowed for ADMIN user.
    In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER
    and those personas don't inherits directly from ADMIN which means that
    if something is possible to e.g. PROJECT_MEMBER it isn't automatically
    also allowed to ADMIN and we need to explicitly allow ADMIN user to do
    such requests. It was done like that for many of API calls already but
    not for all of them (probably by mistake).
    
    This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and
    uses it in the check strings where ADMIN or PROJECT_MEMBER user is
    allowed to use the API.
    It also changes some of the check strings which used "policy_or" to
    combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those
    composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are
    used everywhere.
    
    Closes-Bug: #1997089
    
    Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1997089

Title:
   With new RBAC enabled (enforce_scope and enforce_new_defaults): some
  security groups aren't visible for admin user

Status in neutron:
  Fix Released

Bug description:
  See failed test
  tempest.api.compute.admin.test_security_groups.SecurityGroupsTestAdminJSON.test_list_security_groups_list_all_tenants_filter
  in
  https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_63d/614484/10/check/tempest-
  full-enforce-scope-new-defaults/63d64d6/testr_results.html

  Failure:

  Traceback (most recent call last):
    File "/opt/stack/tempest/tempest/common/utils/__init__.py", line 70, in wrapper
      return f(*func_args, **func_kwargs)
    File "/opt/stack/tempest/tempest/api/compute/admin/test_security_groups.py", line 86, in test_list_security_groups_list_all_tenants_filter
      self.assertIn(sec_group['id'], sec_group_id_list)
    File "/opt/stack/tempest/.tox/tempest/lib/python3.8/site-packages/testtools/testcase.py", line 399, in assertIn
      self.assertThat(haystack, Contains(needle), message)
    File "/opt/stack/tempest/.tox/tempest/lib/python3.8/site-packages/testtools/testcase.py", line 480, in assertThat
      raise mismatch_error
  testtools.matchers._impl.MismatchError: '0596ea46-0609-4d40-b42a-e24d4882709b' not in ['5bb547c6-e27c-4be9-8599-dcb47b253e3e', '21c2add9-c4ee-40bb-8888-42c408f677a9', '0acc8817-d8ed-44cf-8728-c43cae604c7e']

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1997089/+subscriptions

References

[Bug 1997089] [NEW] With new RBAC enabled (enforce_scope and enforce_new_defaults): some security groups aren't visible for admin user
From: Slawek Kaplonski, 2022-11-18