yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #93553
[Bug 2052937] Re: Policy: binding operations are prohibited for service role
Reviewed: https://review.opendev.org/c/openstack/neutron/+/909075
Committed: https://opendev.org/openstack/neutron/commit/a644b3c62bab1ad3f1abb892811c00cf385415f9
Submitter: "Zuul (22348)"
Branch: master
commit a644b3c62bab1ad3f1abb892811c00cf385415f9
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date: Thu Feb 15 09:50:27 2024 +0100
[S-RBAC] Change policies for port's binding:profile field
According to the neutron API-REF [1] port's "binding:profile" field is
intended to be used for the "machine-machine communication for compute
services like Nova, Ironic or Zun to pass information to a Neutron
back-end." so it should be by allowed only for the users with the
SERVICE role granted, not even for ADMIN.
This patch updates that policies to be available only for SERVICE role
when new, secure RBAC policies are enabled.
Additionally this patch updates some policies for create, update and get
port APIs to make them all work in the same way and allow them for the
SERVICE users too.
Finally this new policy for create/update_port:binding:profile have to
be overwritten in the fullstack tests to be allowed also for admin user.
It is done by adding custom policy file for the fullstack tests only.
[1] https://docs.openstack.org/api-ref/network/v2/index.html#create-port
Closes-Bug: #2052937
Change-Id: I5c0094ff21439fe8977cfc623789a09067e6a895
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2052937
Title:
Policy: binding operations are prohibited for service role
Status in neutron:
Fix Released
Bug description:
Create/update port binding:* policies are admin only, which prevents
for example ironic service user with service role to manage baremetal
ports:
"http://192.0.2.10:9292";, "region": "RegionOne"}], "id": "e6e42ef4fc984e71b575150e59a92704", "type": "image", "name": "glance"}]}} get_auth_ref /var/lib/kolla/venv/lib64/python3.9/site-packages/keystoneauth1/identity/v3/base.py:189
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron [None req-6737aef3-c823-4f7c-95ec-1c9f38b14faa a4dbb0dc59024c199843cea86603308b 9fd64a4cbd774756869cb3968de2e9b6 - - default default] Unable to clear binding profile for neutron port 291dbb7b-5cc8-480d-b39d-eb849bcb4a64. Error: ForbiddenException: 403: Client Error for url: http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, ((rule:update_port and rule:update_port:binding:host_id) and rule:update_port:binding:profile) is disallowed by policy: openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, ((rule:update_port and rule:update_port:binding:host_id) and rule:update_port:binding:profile) is disallowed by policy
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron Traceback (most recent call last):
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/ironic/common/neutron.py", line 130, in unbind_neutron_port
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron update_neutron_port(context, port_id, attrs_unbind, client)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/ironic/common/neutron.py", line 109, in update_neutron_port
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron return client.update_port(port_id, **attrs)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/network/v2/_proxy.py", line 2992, in update_port
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron return self._update(_port.Port, port, if_revision=if_revision, **attrs)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/proxy.py", line 61, in check
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron return method(self, expected, actual, *args, **kwargs)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/network/v2/_proxy.py", line 202, in _update
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron return res.commit(self, base_path=base_path, if_revision=if_revision)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 1803, in commit
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron return self._commit(
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 1848, in _commit
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron self._translate_response(response, has_body=has_body)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/resource.py", line 1287, in _translate_response
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron exceptions.raise_from_response(response, error_message=error_message)
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron File "/var/lib/kolla/venv/lib64/python3.9/site-packages/openstack/exceptions.py", line 250, in raise_from_response
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron raise cls(
2024-02-12 11:44:57.848 7 ERROR ironic.common.neutron openstack.exceptions.ForbiddenException: ForbiddenException: 403: Client Error for url: http://192.0.2.10:9696/v2.0/ports/291dbb7b-5cc8-480d-b39d-eb849bcb4a64, ((rule:update_port and rule:update_port:binding:host_id) and rule:update_port:binding:profile) is disallowed by policy
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2052937/+subscriptions
References
