yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2066369] Re: Validation of the auto allocated topology for member/reader user don't works with new S-RBAC policies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2066369@xxxxxxxxxxxxxxxxxx>
Date: Fri, 24 May 2024 09:31:24 -0000
Reply-to: Bug 2066369 <2066369@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/920174
Committed: https://opendev.org/openstack/neutron/commit/dfc01beab22f1c2b977d3e399c3fcda69a72082d
Submitter: "Zuul (22348)"
Branch:    master

commit dfc01beab22f1c2b977d3e399c3fcda69a72082d
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Wed May 22 15:28:05 2024 +0200

    Return both project_id when validating auto allocate network
    
    When neutron API is called to check requirements for the auto_allocate
    topology, it needs to return not only 'tenant_id' field but also
    'project_id' as that is required for the policy enforcement.
    Without this 'project_id' field requirements check was failing for
    member and reader users as they got 404 from the Neutron API. And the
    reason why Neutron was returning 404 was that it wasn't passing policy
    enforcement due to missing project_id field in the 'target' object.
    
    Closes-bug: #2066369
    Change-Id: Idf96a82bc6c8cb0b47dfde3baba94b42a8a8beba


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2066369

Title:
  Validation of the auto allocated topology for member/reader user don't
  works with new S-RBAC policies

Status in neutron:
  Fix Released

Bug description:
  Due to missing 'project_id' field in the response generated by the
  AutoAllocatedTopologyMixin.get_auto_allocated_topology method when
  'dry-run' is called, response send to the user is 404 as it don't pass
  policy enforcement.

  We need to add both 'project_id' and 'tenant_id' fields there.

  There is no problem with that when admin user runs this validation
  from the API. We found it by running test
  tempest.api.compute.admin.test_auto_allocate_network.AutoAllocateNetworkTest.test_server_multi_create_auto_allocate
  is passing in our downstream CI job where this test was failing for us
  always.

  In u/s ci jobs which are using enforcing of new defaults (neutron_tempest_plugin) jobs we don't run this test and that's why we did not catch it there.
  In jobs like tempest-integrated-networking we skip this test because there is shared network found and apparently this is reason to skip it there too.

  We can cover this by adding simple api test in the
  neutron_tempest_plugin.api tests to just call

  curl -g -i -X GET http://10.120.0.40:9696/networking/v2.0/auto-
  allocated-topology/57bea41fe8f34eee8ba1cc26359fc08a?fields=dry-run -H
  "User-Agent: openstacksdk/3.1.0 keystoneauth1/5.6.0 python-
  requests/2.31.0 CPython/3.10.12" -H "X-Auth-Token:
  {SHA256}5a03508585ca03c6f127d8e052f2680778255e743345c660b9128929e22494c3"

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2066369/+subscriptions

References

[Bug 2066369] [NEW] Validation of the auto allocated topology for member/reader user don't works with new S-RBAC policies
From: Slawek Kaplonski, 2024-05-22