yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2126576] [NEW] [S-RBAC] Policies for local_ip_association don't work as expected

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Slawek Kaplonski <2126576@xxxxxxxxxxxxxxxxxx>
Date: Wed, 01 Oct 2025 15:02:17 -0000
Reply-to: Bug 2126576 <2126576@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

Public bug reported:

Those policies are written as:

neutron_policy.policy_or(base.ADMIN_OR_PROJECT_MEMBER, base.PARENT_OWNER_MEMBER)
and
neutron_policy.policy_or(base.ADMIN_OR_PROJECT_READER, base.PARENT_OWNER_MEMBER)

which is wrong because local_ip_association don't have project_id and in
such case "OR_PROJECT_{MEMBER|READER}" fails. It should be only
something like:

base.ADMIN_OR_PARENT_OWNER_MEMBER
base.ADMIN_OR_PARENT_OWNER_READER

** Affects: neutron
     Importance: High
     Assignee: Slawek Kaplonski (slaweq)
         Status: Confirmed


** Tags: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2126576

Title:
  [S-RBAC] Policies for local_ip_association don't work as expected

Status in neutron:
  Confirmed

Bug description:
  Those policies are written as:

  neutron_policy.policy_or(base.ADMIN_OR_PROJECT_MEMBER, base.PARENT_OWNER_MEMBER)
  and
  neutron_policy.policy_or(base.ADMIN_OR_PROJECT_READER, base.PARENT_OWNER_MEMBER)

  which is wrong because local_ip_association don't have project_id and
  in such case "OR_PROJECT_{MEMBER|READER}" fails. It should be only
  something like:

  base.ADMIN_OR_PARENT_OWNER_MEMBER
  base.ADMIN_OR_PARENT_OWNER_READER

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2126576/+subscriptions

Follow ups

[Bug 2126576] Re: [S-RBAC] Policies for local_ip_association don't work as expected
From: OpenStack Infra, 2025-10-07