yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2091493] Re: Field check does not work for tagging policies

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <2091493@xxxxxxxxxxxxxxxxxx>
Date: Fri, 24 Jan 2025 11:20:48 -0000
Reply-to: Bug 2091493 <2091493@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/938135
Committed: https://opendev.org/openstack/neutron/commit/d2a3654e0184c6f8ba19e053fe0177ca2792f37b
Submitter: "Zuul (22348)"
Branch:    master

commit d2a3654e0184c6f8ba19e053fe0177ca2792f37b
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Fri Dec 20 16:14:30 2024 +0100

    Make API policies for tags to be working with resource attributes
    
    This patch changes API policies for tags added with [1] but as "target"
    to the policy.enforce() function there was only parent's id passed, not
    the whole parent dictionary. Because of that policies related to tags
    couldn't match on the parent's attributes, like e.g. network's "shared"
    attribute.
    This patch changes that so now the dict with all attributes used
    potentially by the API policies is passed as target to the
    policy.enforce()
    
    Additionally this patch changes names of the actions related to the tags
    in the API policy rules. Patch [1] introduced names like
    "<action>_<resource_plural_name>_tags", for example
    "update_networks_tags". This patch changes that to the pattern
    "<action>_<resource_singular>:tags", for example: "update_network:tags"
    as this is now consistent with all other actions and attributes in the
    API policies in Neutron APIs.
    
    Finally it also renames "parent" to the "obj" in the tagging extension
    to not treat resources like e.g. network or port, etc. as parent of the
    tag. Tag is more like attribute of that resource, not the child resource
    of it.
    
    [1] https://review.opendev.org/c/openstack/neutron/+/935883
    
    Closes-bug: #2091493
    Change-Id: I665ed178e4a2e01d7f94cac6b9d3b482c3ed17a8


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2091493

Title:
  Field check does not work for tagging policies

Status in neutron:
  Fix Released

Bug description:
  I use neutron 2023.2 and try to configure custom rule for policy:

  update_network_tags

  Default value is :
  update_network_tags: "rule:admin_only or role:member and project_id:%(project_id)s"

  I try to use fields check (for example prohibit updating tags for
  shared networks):

  update_network_tags: "rule:admin_only or (role:member and
  project_id:%(project_id)s and field:networks:shared=False)"

  However it leads to constant 403 Forbidden answer for user with rile
  member.

  It looks like "target" dictionary has not enough information for
  specified resource:
  https://github.com/openstack/neutron/blob/master/neutron/extensions/tagging.py#L142

  Moreover the same issue (missed resource fields in "target") is
  relevant for other tagging policies, like subnet, port, router,
  floatingip.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2091493/+subscriptions

References

[Bug 2091493] [NEW] Field check does not work for tagging policies
From: Sergey Kraynev, 2024-12-11