yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2066369] [NEW] Validation of the auto allocated topology for member/reader user don't works with new S-RBAC policies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Slawek Kaplonski <2066369@xxxxxxxxxxxxxxxxxx>
Date: Wed, 22 May 2024 12:49:39 -0000
Reply-to: Bug 2066369 <2066369@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Due to missing 'project_id' field in the response generated by the
AutoAllocatedTopologyMixin.get_auto_allocated_topology method when 'dry-
run' is called, response send to the user is 404 as it don't pass policy
enforcement.

We need to add both 'project_id' and 'tenant_id' fields there.

There is no problem with that when admin user runs this validation from
the API. We found it by running test
tempest.api.compute.admin.test_auto_allocate_network.AutoAllocateNetworkTest.test_server_multi_create_auto_allocate
is passing in our downstream CI job where this test was failing for us
always.

In u/s ci jobs which are using enforcing of new defaults (neutron_tempest_plugin) jobs we don't run this test and that's why we did not catch it there.
In jobs like tempest-integrated-networking we skip this test because there is shared network found and apparently this is reason to skip it there too.

We can cover this by adding simple api test in the
neutron_tempest_plugin.api tests to just call

curl -g -i -X GET http://10.120.0.40:9696/networking/v2.0/auto-
allocated-topology/57bea41fe8f34eee8ba1cc26359fc08a?fields=dry-run -H
"User-Agent: openstacksdk/3.1.0 keystoneauth1/5.6.0 python-
requests/2.31.0 CPython/3.10.12" -H "X-Auth-Token:
{SHA256}5a03508585ca03c6f127d8e052f2680778255e743345c660b9128929e22494c3"

** Affects: neutron
     Importance: High
     Assignee: Slawek Kaplonski (slaweq)
         Status: Confirmed


** Tags: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2066369

Title:
  Validation of the auto allocated topology for member/reader user don't
  works with new S-RBAC policies

Status in neutron:
  Confirmed

Bug description:
  Due to missing 'project_id' field in the response generated by the
  AutoAllocatedTopologyMixin.get_auto_allocated_topology method when
  'dry-run' is called, response send to the user is 404 as it don't pass
  policy enforcement.

  We need to add both 'project_id' and 'tenant_id' fields there.

  There is no problem with that when admin user runs this validation
  from the API. We found it by running test
  tempest.api.compute.admin.test_auto_allocate_network.AutoAllocateNetworkTest.test_server_multi_create_auto_allocate
  is passing in our downstream CI job where this test was failing for us
  always.

  In u/s ci jobs which are using enforcing of new defaults (neutron_tempest_plugin) jobs we don't run this test and that's why we did not catch it there.
  In jobs like tempest-integrated-networking we skip this test because there is shared network found and apparently this is reason to skip it there too.

  We can cover this by adding simple api test in the
  neutron_tempest_plugin.api tests to just call

  curl -g -i -X GET http://10.120.0.40:9696/networking/v2.0/auto-
  allocated-topology/57bea41fe8f34eee8ba1cc26359fc08a?fields=dry-run -H
  "User-Agent: openstacksdk/3.1.0 keystoneauth1/5.6.0 python-
  requests/2.31.0 CPython/3.10.12" -H "X-Auth-Token:
  {SHA256}5a03508585ca03c6f127d8e052f2680778255e743345c660b9128929e22494c3"

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2066369/+subscriptions

Follow ups

[Bug 2066369] Re: Validation of the auto allocated topology for member/reader user don't works with new S-RBAC policies
From: OpenStack Infra, 2024-05-24