← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #92001

[Bug 2018989] Re: [SRBAC] FIP Port Forwarding policies should be available for PARENT_OWNER with proper role

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/c/openstack/neutron/+/882691
Committed: https://opendev.org/openstack/neutron/commit/4edff4fe8dff102f13e3da0a000c03538755337d
Submitter: "Zuul (22348)"
Branch:    master

commit 4edff4fe8dff102f13e3da0a000c03538755337d
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Tue May 9 12:54:28 2023 +0200

    [S-RBAC] Fix new policies for FIP PFs APIs
    
    During transition to the new secure RBAC API policies, we made mistake
    with policies for FIP PFs by defining them to be available for
    ADMIN_OR_PROJECT_MEMBER/READER or FIP owner.
    First, rule PROJECT_MEMBER/READER is not appropriate in this case as FIP PFs
    don't have tenant_id attribute at all and belongs to the owner of FIP always.
    Second issue was that any FIP owner, even with just READER role could possibly
    e.g. create port forwarding.
    
    To fix that, this patch changes those API policies to new rules:
    ADMIN_OR_PARENT_OWNER_READER
    ADMIN_OR_PARENT_OWNER_MEMBER
    
    Closes-Bug: #2018989
    Change-Id: Ibff4c4f5b6d020fd598831a8a6e8ec0e2f559005


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2018989

Title:
  [SRBAC] FIP Port Forwarding policies should be available for
  PARENT_OWNER with proper role

Status in neutron:
  Fix Released

Bug description:
  Currently new S-RBAC policies for FIP port forwardings are defined as

      policy_or(ADMIN_OR_PROJECT_MEMBER, RULE_PARENT_OWNER)

  this isn't correct as FIP PF resource don't have project_id attribute
  and always belongs to the owner of the FIP. It's very similar issue to
  what we have with QoS rules and what was reported in
  https://bugs.launchpad.net/neutron/+bug/2018727

  To fix that we need to use policies like ADMIN_OR_PARENT_OWNER_MEMBER
  to let e.g. creation of FIP PF to the owner of FIP with correct role
  assigned.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2018989/+subscriptions

References

  Thread PreviousDate PreviousThread Next