← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2066369] Re: Validation of the auto allocated topology for member/reader user don't works with new S-RBAC policies


Reviewed:  https://review.opendev.org/c/openstack/neutron/+/920174
Committed: https://opendev.org/openstack/neutron/commit/dfc01beab22f1c2b977d3e399c3fcda69a72082d
Submitter: "Zuul (22348)"
Branch:    master

commit dfc01beab22f1c2b977d3e399c3fcda69a72082d
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Wed May 22 15:28:05 2024 +0200

    Return both project_id when validating auto allocate network
    When neutron API is called to check requirements for the auto_allocate
    topology, it needs to return not only 'tenant_id' field but also
    'project_id' as that is required for the policy enforcement.
    Without this 'project_id' field requirements check was failing for
    member and reader users as they got 404 from the Neutron API. And the
    reason why Neutron was returning 404 was that it wasn't passing policy
    enforcement due to missing project_id field in the 'target' object.
    Closes-bug: #2066369
    Change-Id: Idf96a82bc6c8cb0b47dfde3baba94b42a8a8beba

** Changed in: neutron
       Status: In Progress => Fix Released

You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.

  Validation of the auto allocated topology for member/reader user don't
  works with new S-RBAC policies

Status in neutron:
  Fix Released

Bug description:
  Due to missing 'project_id' field in the response generated by the
  AutoAllocatedTopologyMixin.get_auto_allocated_topology method when
  'dry-run' is called, response send to the user is 404 as it don't pass
  policy enforcement.

  We need to add both 'project_id' and 'tenant_id' fields there.

  There is no problem with that when admin user runs this validation
  from the API. We found it by running test
  is passing in our downstream CI job where this test was failing for us

  In u/s ci jobs which are using enforcing of new defaults (neutron_tempest_plugin) jobs we don't run this test and that's why we did not catch it there.
  In jobs like tempest-integrated-networking we skip this test because there is shared network found and apparently this is reason to skip it there too.

  We can cover this by adding simple api test in the
  neutron_tempest_plugin.api tests to just call

  curl -g -i -X GET
  allocated-topology/57bea41fe8f34eee8ba1cc26359fc08a?fields=dry-run -H
  "User-Agent: openstacksdk/3.1.0 keystoneauth1/5.6.0 python-
  requests/2.31.0 CPython/3.10.12" -H "X-Auth-Token:

To manage notifications about this bug go to: