← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #96135

[Bug 2115184] Re: [S-RBAC] Custom role can't get resources which belongs to different projects

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/c/openstack/neutron-lib/+/954054
Committed: https://opendev.org/openstack/neutron-lib/commit/b510f7feb8678081f0c51d19d9c484b7f19964e1
Submitter: "Zuul (22348)"
Branch:    master

commit b510f7feb8678081f0c51d19d9c484b7f19964e1
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Thu Jul 3 16:40:44 2025 +0200

    Add "has_global_access" attribute to the context object
    
    In case when API policies with custom roles has to be defined by the
    operator and such custom role should have granted access to the
    resources from all projects, like for example some kind of
    "admin_reader" or "auditor" role, it was not possible to achieve so far.
    The problem was that for all non-admin and not service users, SQL
    queries were scoped to the own project only always so such "auditor"
    couldn't even get data from different projects from the database.
    
    This patch introduces new API policy rule called
    `context_with_global_access` and attribute `has_global_access` to the
    neutron_lib.context.ContextBase class.
    By default `context_with_global_access` rule is granted to nobody but it
    can be defined in the neutron policy file like e.g.:
    
        "context_with_global_access": "role:auditor"
    
    and then `neutron_context` object for API requests made by someone with
    such role granted will be able to fetch all data from the database.
    
    This doesn't mean that anyone with such role will be able to do or get
    everything through the API because there is still policy engine with
    defined API policies which prevents that.
    So to e.g. grant such auditor user permission to list all networks in
    the cluster, additional rule would be needed in policy file and it can
    looks for example like:
    
        "get_network": "role:admin_only) or
                        (role:reader and project_id:%(project_id)s) or
                        rule:shared or rule:external or
                        rule:context_is_advsvc or
                        role:auditor"
    
    Closes-Bug: #2115184
    Change-Id: I90149b0212dafa8f469dc329cc4b45042cded38c
    Signed-off-by: Slawek Kaplonski <skaplons@xxxxxxxxxx>


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2115184

Title:
  [S-RBAC] Custom role can't get resources which belongs to different
  projects

Status in neutron:
  Fix Released

Bug description:
  It was reported on the ML:
  https://lists.openstack.org/archives/list/openstack-
  discuss@xxxxxxxxxxxxxxxxxxx/thread/4TRWELLL6FH455JNWP52LV6OLMXSFQ34/

  Basically even if operator specifies custom rule like e.g.:

  "get_network": "(rule:admin_only) or (role:reader and
  project_id:%(project_id)s) or rule:shared or rule:external or
  rule:context_is_advsvc or role:admin_network_read"

  user with "admin_network_read" role can't get all networks from the
  cloud. It happens like that because it is filtered out on the DB
  access layer, in https://github.com/openstack/neutron-
  lib/blob/fd011c955dfae1072555c69b6ba742b85f041736/neutron_lib/db/model_query.py#L157

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2115184/+subscriptions

References

  Thread PreviousDate PreviousThread Next