← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 2125657] Re: [S-RBAC] User with reader role can create and delete local_ip association

 

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/962260
Committed: https://opendev.org/openstack/neutron/commit/cc3813b06381d9d9de0d3659e4ceca2b81eef6fb
Submitter: "Zuul (22348)"
Branch:    master

commit cc3813b06381d9d9de0d3659e4ceca2b81eef6fb
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Thu Sep 25 11:32:06 2025 +0200

    [S-RBAC] Fix policies for the local_ip association APIs
    
    This patch updates local_ip association API policies so that POST and
    DELETE actions are allowed for the PARENT_OWNER_MEMBER role and GET is
    allowed for the PARENT_OWNER_READER.
    
    Additionally this patch fixes unit tests for the api policies for that
    APIs so that owner check is done during unit tests and issues like the
    one mentioned above can be catched by unit tests.
    
    Closes-bug: #2125657
    
    Change-Id: I6844995d2b4c6e5ec4e2772d48d1a2b606dc558b
    Signed-off-by: Slawek Kaplonski <skaplons@xxxxxxxxxx>


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2125657

Title:
  [S-RBAC] User with reader role can create and delete local_ip
  association

Status in neutron:
  Fix Released

Bug description:
  It is like that because wrong policy RULE_PARENT_OWNER
  https://github.com/openstack/neutron/blob/master/neutron/conf/policies/local_ip_association.py#L32
  is used in the default policies for those APIs. It should be
  PARENT_OWNER_MEMBER for create and delete actions and
  PARENT_OWNER_READER for get action.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2125657/+subscriptions



References