yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #96506
[Bug 2125660] Re: [S-RBAC] User with reader role can create, updated and delete l3_conntrack_helpers
Reviewed: https://review.opendev.org/c/openstack/neutron/+/962261
Committed: https://opendev.org/openstack/neutron/commit/cb3331e52580a67fd6d65b3e44eca9b14fc9cefb
Submitter: "Zuul (22348)"
Branch: master
commit cb3331e52580a67fd6d65b3e44eca9b14fc9cefb
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date: Thu Sep 25 11:53:40 2025 +0200
[S-RBAC] Fix policies for the l3_conntrack_helpers APIs
This patch updates l3_conntrack_helpers API policies so that POST, PUT and
DELETE actions are allowed for the PARENT_OWNER_MEMBER role and GET is
allowed for the PARENT_OWNER_READER.
Additionally this patch fixes unit tests for the api policies for that
APIs so that owner check is done during unit tests and issues like the
one mentioned above can be catched by unit tests.
Closes-bug: #2125660
Change-Id: I1dc6eabbb666e5923d9c18465d10cdf95e472915
Signed-off-by: Slawek Kaplonski <skaplons@xxxxxxxxxx>
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2125660
Title:
[S-RBAC] User with reader role can create, updated and delete
l3_conntrack_helpers
Status in neutron:
Fix Released
Bug description:
It is like that because wrong policy RULE_PARENT_OWNER
https://github.com/openstack/neutron/blob/e0ca9a0d68fbbcb98820f488accf2f84fb8c9639/neutron/conf/policies/l3_conntrack_helper.py#L35
is used in the default policies for those APIs. It should be
PARENT_OWNER_MEMBER for create, update and delete actions and
PARENT_OWNER_READER for get action.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2125660/+subscriptions
References