yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2037002] Re: Reader can update object tag

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2037002@xxxxxxxxxxxxxxxxxx>
Date: Thu, 19 Oct 2023 00:44:14 -0000
Reply-to: Bug 2037002 <2037002@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/896509
Committed: https://opendev.org/openstack/neutron/commit/f9b91289a5c2948429e69e1b58098cec846fba99
Submitter: "Zuul (22348)"
Branch:    master

commit f9b91289a5c2948429e69e1b58098cec846fba99
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date:   Tue Sep 26 08:03:19 2023 +0000

    Add policy enforcer for "tags" service plugin
    
    The following resources have been updated with new policies for
    tags:
    * Port
    * Subnet
    * Network
    * Router
    * FloatingIP
    * NetworkSegmentRange
    * NetworkSegment
    * SecurityGroup
    * Trunk
    * Subnetpool
    
    The admin can now enforce specific policies for the resource tags
    for the creation, update and deletion actions.
    
    NOTE: a follow-up patch, with a new Launchpad bug reference, will
          be created to move the ``Tagging`` class from
          ``ExtensionDescriptor`` to ``APIExtensionDescriptor``, and
          refactor the ``TaggingController`` to be a standard
          ``neutron.api.v2.base.Controller``. Any API resource using
          the second controller will use the path used by the wsgi
          hooks, in particular the policy hook. That will make unnecessary
          to manually call the ``policy.enforce`` method from the
          extension class methods.
    
    Closes-Bug: #2037002
    Change-Id: I9f3e032739824f268db74c5a1b4f04d353742dbd


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2037002

Title:
  Reader can update object tag

Status in neutron:
  Fix Released

Bug description:
  Update of Neutron object tags ignores policies for this object update.
  So, reader user can update tags for all objects of his project

  Reproduced on Devstack - Yoga. Newer releases up to master have no
  changes here, so also should be affected

  Steps to reproduce:
  All operations in default alt_demo project, which has all needed users provisioned by default

  1. Create network object, i.e. floating ip using alt_demo user - as project admin
  2. Re-login as alt_demo_reader and try to update tags for this floating

  Tags are updated successfully, but reader user has no rights for
  floating update - "update_floatingip" policy enabled for at least
  member

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2037002/+subscriptions

References

[Bug 2037002] [NEW] Reader can update object tag
From: Vadym Markov, 2023-09-21