yahoo-eng-team team mailing list archive

[OpenStack Infra <2019946@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/c/openstack/neutron-lib/+/883345
Committed: https://opendev.org/openstack/neutron-lib/commit/c5ca1ddf420b827e4684dee6a6495475014a91e3
Submitter: "Zuul (22348)"
Branch:    master

commit c5ca1ddf420b827e4684dee6a6495475014a91e3
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Wed May 17 12:17:17 2023 +0200

    Context.elevated() method sets all required roles for context object
    
    If context should be elevated, it should always have "admin", "member"
    and "reader" roles set as admin user always have "member" and "reader"
    role as well.
    Usually, when context is created by keystone it is like that but in some
    cases, e.g. when noauth middleware is used instead of keystone it's not
    like that and then context from the environment don't have any role set
    so we should make sure that elevated context have all required roles set
    correctly.
    
    Closes-Bug: #2019946
    Change-Id: Ic70202d1b41ea64ffd63dc910b7852fe75421fa9


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2019946

Title:
  [S-RBAC] context.elevated() method from neutron-lib should ensure all
  required roles are set in context object

Status in neutron:
  Fix Released

Bug description:
  Currently context.elevated() method just ensures that "admin" role is set in context.roles. But e.g. in case when noauth method pipeline is used in Neutron, context from environ will not have any role set and it may fail if e.g. some API policy is allowed for "role:reader" (see qos get_rule_types API policy).
  We should make sure in the context.elevated() method that all roles which "admin" role implies are there.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2019946/+subscriptions