← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #91701

[Bug 2015987] Re: neutron-lib's get_admin_context() function returns wrong context when new policies are used

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/c/openstack/neutron-lib/+/880143
Committed: https://opendev.org/openstack/neutron-lib/commit/09af59caa93e23447c164b480f6f0f4ec865842c
Submitter: "Zuul (22348)"
Branch:    master

commit 09af59caa93e23447c164b480f6f0f4ec865842c
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Wed Apr 12 12:02:49 2023 +0200

    Return properly elevated context by get_admin_context() helper
    
    In neutron_lib.context module there are two simple helper functions:
    get_admin_context and get_admin_context_without_session.
    Both returned Context object with is_admin=True but without admin role
    set and due to that it wasn't proper admin context when new secure RBAC
    policies are used.
    With this patch both those helper functions returns properly elevated
    Context object with admin role set.
    
    Closes-Bug: #2015987
    Change-Id: Ibde6acdb99555a6e43ca253523df7cbe4d150787


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2015987

Title:
  neutron-lib's get_admin_context() function returns wrong context when
  new policies are used

Status in neutron:
  Fix Released

Bug description:
  In neutron.context module there are get_admin_context() and
  get_admin_context_without_session() helper functions [1]. Both are
  creating instance of Context class with is_admin=True but when new
  policies are used, admin context is when it has role "admin" in roles
  [1].

  This is causing issues in some cases as get_admin_context don't really
  returns something what new policies treats as admin context.

  [1] https://github.com/openstack/neutron-
  lib/blob/c5413d56b6db63a59280b528f66f1b343c684091/neutron_lib/context.py#L178

  [2]
  https://github.com/openstack/neutron/blob/fe9c321fd880c3a2fd3c669ce017d0e625306325/neutron/conf/policies/base.py#L49

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2015987/+subscriptions

References

  Thread PreviousDate PreviousThread Next