yahoo-eng-team team mailing list archive

[OpenStack Infra <2125660@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/962261
Committed: https://opendev.org/openstack/neutron/commit/cb3331e52580a67fd6d65b3e44eca9b14fc9cefb
Submitter: "Zuul (22348)"
Branch:    master

commit cb3331e52580a67fd6d65b3e44eca9b14fc9cefb
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Thu Sep 25 11:53:40 2025 +0200

    [S-RBAC] Fix policies for the l3_conntrack_helpers APIs
    
    This patch updates l3_conntrack_helpers API policies so that POST, PUT and
    DELETE actions are allowed for the PARENT_OWNER_MEMBER role and GET is
    allowed for the PARENT_OWNER_READER.
    
    Additionally this patch fixes unit tests for the api policies for that
    APIs so that owner check is done during unit tests and issues like the
    one mentioned above can be catched by unit tests.
    
    Closes-bug: #2125660
    
    Change-Id: I1dc6eabbb666e5923d9c18465d10cdf95e472915
    Signed-off-by: Slawek Kaplonski <skaplons@xxxxxxxxxx>


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2125660

Title:
   [S-RBAC] User with reader role can create, updated and delete
  l3_conntrack_helpers

Status in neutron:
  Fix Released

Bug description:
  It is like that because wrong policy RULE_PARENT_OWNER
  https://github.com/openstack/neutron/blob/e0ca9a0d68fbbcb98820f488accf2f84fb8c9639/neutron/conf/policies/l3_conntrack_helper.py#L35
  is used in the default policies for those APIs. It should be
  PARENT_OWNER_MEMBER for create, update and delete actions and
  PARENT_OWNER_READER for get action.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2125660/+subscriptions