yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #95375
[Bug 2098109] Re: Regular user can modify router SNAT flag
Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/942064
Committed: https://opendev.org/openstack/neutron-lib/commit/bf21a6dcd48bdd15c28086f256319ac035b7fef0
Submitter: "Zuul (22348)"
Branch: master
commit bf21a6dcd48bdd15c28086f256319ac035b7fef0
Author: Rodolfo Alonso Hernandez <ralonsoh@xxxxxxxxxx>
Date: Tue Feb 18 06:43:19 2025 +0000
Fix ``external-gateway-multihoming`` API extension definition
The new field ``external-gateways`` added in the API extension
``external-gateway-multihoming`` didn't have the ``enforce_policy`` flag
defined and the validate parameters didn't provide the needed
information to the Neutron policy to build a correct rule match.
Now this field copies the ``ext-gw-mode`` extension validator used in
the ``external_gateway_info`` field.
The validator type ``list_of_dict_or_nodata`` is currently not
recognized by the Neutron policy as an iterable validator [1]; this
code must be changed in Neutron in order to accept this new defined
validator that is not a dictionary but a list of dictionaries.
[1]https://github.com/openstack/neutron/blob/86f94de99aa08b1b4aadca8e90c6e79487171b8e/neutron/policy.py#L142
Closes-Bug: #2098109
Change-Id: I592f7ff0673c15276e9da0054fd38f7ad96f795a
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2098109
Title:
Regular user can modify router SNAT flag
Status in neutron:
Fix Released
Status in OpenStack Security Advisory:
Incomplete
Bug description:
The Neutron policy 'update_router:external_gateway_info:enable_snat'
is, by default, available for an admin user only. However this command
is succeeding with a regular user.
How to reproduce it in a devstack deployment (no additional policies configured, using the default ones):
$ . /opt/stack/devstack/openrc demo demo
$ openstack router create r1
$ openstack router set --external-gateway public r1
$ openstack router set --disable-snat --external-gateway public r1
This last command should fail for "demo" user.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2098109/+subscriptions