yahoo-eng-team team mailing list archive

[OpenStack Infra <2126576@xxxxxxxxxxxxxxxxxx>]

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/962751
Committed: https://opendev.org/openstack/neutron/commit/8ff3d9d52a3d9471b92c4607956f96d59c779563
Submitter: "Zuul (22348)"
Branch:    master

commit 8ff3d9d52a3d9471b92c4607956f96d59c779563
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Wed Oct 1 17:03:47 2025 +0200

    [S-RBAC] Fix policies for local_ip_association
    
    Policies for those API actions should not rely on the "PROJECT_READER"
    or "PROJECT_MEMBER" rules as this resource don't have project_id
    attribute and instead belongs to the project of the parent resource
    (which is local_ip).
    This patch updates those rules to:
    
    base.ADMIN_OR_PARENT_OWNER_MEMBER
    base.ADMIN_OR_PARENT_OWNER_READER
    
    Closes-bug: #2126576
    
    Change-Id: Ie12c4e40edc09b3477db7c8ffa3067856ea42866
    Signed-off-by: Slawek Kaplonski <skaplons@xxxxxxxxxx>


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2126576

Title:
  [S-RBAC] Policies for local_ip_association don't work as expected

Status in neutron:
  Fix Released

Bug description:
  Those policies are written as:

  neutron_policy.policy_or(base.ADMIN_OR_PROJECT_MEMBER, base.PARENT_OWNER_MEMBER)
  and
  neutron_policy.policy_or(base.ADMIN_OR_PROJECT_READER, base.PARENT_OWNER_MEMBER)

  which is wrong because local_ip_association don't have project_id and
  in such case "OR_PROJECT_{MEMBER|READER}" fails. It should be only
  something like:

  base.ADMIN_OR_PARENT_OWNER_MEMBER
  base.ADMIN_OR_PARENT_OWNER_READER

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2126576/+subscriptions