yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2060916] Re: [RFE] Add 'trusted_vif' field to the port attributes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: sean mooney <2060916@xxxxxxxxxxxxxxxxxx>
Date: Wed, 27 Aug 2025 14:38:41 -0000
Reply-to: Bug 2060916 <2060916@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

adding nova so that we can discuss/track using this when it is available
in nova instead.

i am suggesting we treat it as a whitelist bug because its a security
hardening opportunity that may be good to backport to allow operator to
not use custom policy on the binding:profile field.

if we chosoe to track this as a specless blueprint instead ill just
update the bug at that time to reflect that.

i think allowing the extntion to be could be a backportabel security enhancement
dropping support for the old way id definitely not backportable but we coudl deprecated in 2026.1 if we complete this supprot

wehn the new extsion is used the data is aviable in both localtions so
that woudl allow 2026.1 to provide smooth upgrades.



** Also affects: nova
   Importance: Undecided
       Status: New

** Changed in: nova
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2060916

Title:
  [RFE] Add 'trusted_vif' field to the port attributes

Status in neutron:
  Fix Released
Status in OpenStack Compute (nova):
  New

Bug description:
  Currently 'trusted=true' can be passed to Neutron by admin user
  through the port's "binding:profile" field but this field originally
  was intended to be used only for the machine-machine communication,
  and not to be used by any cloud user. There is even info about that in
  the api-ref:

  "A dictionary that enables the application running on the specific
  host to pass and receive vif port information specific to the
  networking back-end. This field is only meant for machine-machine
  communication for compute services like Nova, Ironic or Zun to pass
  information to a Neutron back-end. It should not be used by multiple
  services concurrently or by cloud end users. The existing
  counterexamples (capabilities: [switchdev] for Open vSwitch hardware
  offload and trusted=true for Trusted Virtual Functions) are due to be
  cleaned up. The networking API does not define a specific format of
  this field. ..."

  
  This will be even worst with the new S-RBAC policies where "binding:profile" field is allowed to be changed only for the SERVICE role users, not even for admins.

  So this small RFE is proposal to add new API extension which will add
  field, like "trusted_vif" to the port object. This field would be then
  accesible for ADMIN role users in the Secure-RBAC policies.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2060916/+subscriptions

References

[Bug 2060916] [NEW] [RFE] Add 'trusted_vif' field to the port attributes
From: Slawek Kaplonski, 2024-04-11