yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2091493] [NEW] Field check does not work for tagging policies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sergey Kraynev <2091493@xxxxxxxxxxxxxxxxxx>
Date: Wed, 11 Dec 2024 05:53:56 -0000
Reply-to: Bug 2091493 <2091493@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

I use neutron 2023.2 and try to configure custom rule for policy:

update_network_tags

Default value is :
update_network_tags: "rule:admin_only or role:member and project_id:%(project_id)s"

I try to use fields check (for example prohibit updating tags for shared
networks):

update_network_tags: "rule:admin_only or (role:member and
project_id:%(project_id)s and field:networks:shared=False)"

However it leads to constant 403 Forbidden answer for user with rile
member.

It looks like "target" dictionary has not enough information for
specified resource:
https://github.com/openstack/neutron/blob/master/neutron/extensions/tagging.py#L142

Moreover the same issue (missed resource fields in "target") is relevant
for other tagging policies, like subnet, port, router, floatingip.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2091493

Title:
  Field check does not work for tagging policies

Status in neutron:
  New

Bug description:
  I use neutron 2023.2 and try to configure custom rule for policy:

  update_network_tags

  Default value is :
  update_network_tags: "rule:admin_only or role:member and project_id:%(project_id)s"

  I try to use fields check (for example prohibit updating tags for
  shared networks):

  update_network_tags: "rule:admin_only or (role:member and
  project_id:%(project_id)s and field:networks:shared=False)"

  However it leads to constant 403 Forbidden answer for user with rile
  member.

  It looks like "target" dictionary has not enough information for
  specified resource:
  https://github.com/openstack/neutron/blob/master/neutron/extensions/tagging.py#L142

  Moreover the same issue (missed resource fields in "target") is
  relevant for other tagging policies, like subnet, port, router,
  floatingip.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2091493/+subscriptions