yahoo-eng-team team mailing list archive

[Slawek Kaplonski <2115184@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

It was reported on the ML:
https://lists.openstack.org/archives/list/openstack-
discuss@xxxxxxxxxxxxxxxxxxx/thread/4TRWELLL6FH455JNWP52LV6OLMXSFQ34/

Basically even if operator specifies custom rule like e.g.:

"get_network": "(rule:admin_only) or (role:reader and
project_id:%(project_id)s) or rule:shared or rule:external or
rule:context_is_advsvc or role:admin_network_read"

user with "admin_network_read" role can't get all networks from the
cloud. It happens like that because it is filtered out on the DB access
layer, in https://github.com/openstack/neutron-
lib/blob/fd011c955dfae1072555c69b6ba742b85f041736/neutron_lib/db/model_query.py#L157

** Affects: neutron
     Importance: Medium
     Assignee: Slawek Kaplonski (slaweq)
         Status: Confirmed


** Tags: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2115184

Title:
  [S-RBAC] Custom role can't get resources which belongs to different
  projects

Status in neutron:
  Confirmed

Bug description:
  It was reported on the ML:
  https://lists.openstack.org/archives/list/openstack-
  discuss@xxxxxxxxxxxxxxxxxxx/thread/4TRWELLL6FH455JNWP52LV6OLMXSFQ34/

  Basically even if operator specifies custom rule like e.g.:

  "get_network": "(rule:admin_only) or (role:reader and
  project_id:%(project_id)s) or rule:shared or rule:external or
  rule:context_is_advsvc or role:admin_network_read"

  user with "admin_network_read" role can't get all networks from the
  cloud. It happens like that because it is filtered out on the DB
  access layer, in https://github.com/openstack/neutron-
  lib/blob/fd011c955dfae1072555c69b6ba742b85f041736/neutron_lib/db/model_query.py#L157

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2115184/+subscriptions