yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #90554
[Bug 1534954] Re: policy rule for update_port is inconsistent
Bug closed due to lack of activity, please feel free to reopen if
needed.
** Changed in: neutron
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1534954
Title:
policy rule for update_port is inconsistent
Status in neutron:
Won't Fix
Bug description:
For user from a common tenant, per [1]
https://github.com/openstack/neutron/blob/master/etc/policy.json#L77 ,
seems network owner shouldn't have privilege to update port on her/his
network if she/he is not port owner.
But per [2]
https://github.com/openstack/neutron/blob/master/etc/policy.json#L78-L85
, seems network owner still have chance to update port attributes such
as device_owner, fixed_ips, port_security_enabled,
mac_learning_enabled, allowed_address_pairs.
This is inconsistent, per [1], policy rule
"rule:admin_or_network_owner" in [2] should be updated.
For example:
If a network owner want to change tenant user port fixed_ip, by looking at rule:
"update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc" (one rule in [2])
she/he may think policy can allow this, for she/he is network owner.
But after she/he tries that, will get privilege denied as result, for rule:
"update_port": "rule:admin_or_owner or rule:context_is_advsvc" ([1])
this is confused.
## updated @ 2016-01-19
What's more. Let's use port attribute fixed_ips to discuss, and with tenant-A give tenant-B privilege to do, like adding rbac rule for tenant-B. And currently tenant-A has network net-A which has rbac action access_as_shared for tenant-B:
* when tenant-B user try to create a port on net-A without any attributes specified, that's OK, nothing error or exception will raise. But when later when tenant-B user try to update that port fixed_ips, message endswith "disallowed by policy" will raise. Maybe for policy rule:
"update_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc"
And even network owner, tenant-A also cannot update that port fixed_ips, tenant-A user will get return message "The resource could not be found."
* when tenant-B user try to create a port with specified fixed_ips, message endswith "disallowed by policy" will return. This is defined by policy rule:
"create_port:fixed_ips": "rule:admin_or_network_owner or rule:context_is_advsvc"
So currently, neither port owner/tenant-B nor network owner/tenant-A
can update the port fixed_ips. (Please ignore admin here, admin can do
anything she/he want)
I checked history for policy.json on update_port section, and I found
https://review.openstack.org/#/c/9845. After glance, seems people put
more focus on port creating not updating.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1534954/+subscriptions
References