yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2059236] Re: Add a RBAC action field in the query hooks

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2059236@xxxxxxxxxxxxxxxxxx>
Date: Wed, 07 Aug 2024 21:50:09 -0000
Reply-to: Bug 2059236 <2059236@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/915370
Committed: https://opendev.org/openstack/neutron/commit/f22f7ae012e75b34051945fcac29f955861896ab
Submitter: "Zuul (22348)"
Branch:    master

commit f22f7ae012e75b34051945fcac29f955861896ab
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date:   Mon Apr 8 22:19:50 2024 +0000

    Use the RBAC actions field for "network" and "subnet"
    
    Since [1], it is possible to define a set of RBAC actions to filter the
    model query. For "network" and "subnet" models, it is needed to add the
    RBAC action "access_as_external" to the query. Instead of adding an
    additional filter (as is now), this patch replaces the default RBAC
    actions used in the model query, adding this extra one.
    
    The neutron-lib library is bumped to version 3.14.0.
    
    [1]https://review.opendev.org/c/openstack/neutron-lib/+/914473
    
    Closes-Bug: #2059236
    Change-Id: Ie3e77e2f812bd5cddf1971bc456854866843d4f3


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2059236

Title:
  Add a RBAC action field in the query hooks

Status in neutron:
  Fix Released

Bug description:
  Any Neutron resource (that is not only a single database table but a
  view, a combination of several tables), can register a set of hooks
  that will be used during the DB query creation [1]. These hooks
  include a query hook (to modify query depending on the database
  relationships), a filter hook (to add extra filtering steps to the
  final query) and a results filter hook (that could be used to join
  other tables with other dependencies).

  This bug proposes to add an extra field to this hooks to be able to
  filter the RBAC actions. Some resources, like networks [2] and subnets
  [3], need to add an extra RBAC action "ACCESS_EXTERNAL" to the query
  filter. This is done now by adding again the same RBAC filter included
  in the ``query_with_hooks`` [4] but with the "ACCESS_EXTERNAL" action.

  If instead of this, the ``query_with_hooks`` can include a
  configurable set of RBAC actions, the result query could be shorter,
  less complex and faster.

  [1]https://github.com/openstack/neutron-lib/blob/625ae19e29758da98c5dd8c9ce03962840a87949/neutron_lib/db/model_query.py#L86-L90
  [2]https://github.com/openstack/neutron/blob/bcf1f707bc9169e8f701613214516e97f039d730/neutron/db/external_net_db.py#L75-L80
  [3]https://review.opendev.org/c/openstack/neutron/+/907313/15/neutron/db/external_net_db.py
  [4]https://github.com/openstack/neutron-lib/blob/625ae19e29758da98c5dd8c9ce03962840a87949/neutron_lib/db/model_query.py#L127-L132

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2059236/+subscriptions

References

[Bug 2059236] [NEW] Add a RBAC action field in the query hooks
From: Rodolfo Alonso, 2024-03-27