yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #96627
[Bug 2126759] Re: [S-RBAC] Policies for l3_conntrack_helpers don't work as expected
Reviewed: https://review.opendev.org/c/openstack/neutron/+/962919
Committed: https://opendev.org/openstack/neutron/commit/0edbfe26d01ad0dfe1a3875527ac1f8c2f47f56f
Submitter: "Zuul (22348)"
Branch: master
commit 0edbfe26d01ad0dfe1a3875527ac1f8c2f47f56f
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date: Fri Oct 3 12:51:59 2025 +0200
[S-RBAC] Fix policies for l3_conntrack_helpers
Policies for those API actions should not rely on the "PROJECT_READER"
or "PROJECT_MEMBER" rules as this resource don't have project_id
attribute and instead belongs to the project of the parent resource
(which is l3_router).
This patch updates those rules to:
base.ADMIN_OR_PARENT_OWNER_MEMBER
base.ADMIN_OR_PARENT_OWNER_READER
Closes-bug: #2126759
Change-Id: Id67346262a3dbe4717273073b5f8c6a385d2180d
Signed-off-by: Slawek Kaplonski <skaplons@xxxxxxxxxx>
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2126759
Title:
[S-RBAC] Policies for l3_conntrack_helpers don't work as expected
Status in neutron:
Fix Released
Bug description:
Those policies are written as:
neutron_policy.policy_or(base.ADMIN_OR_PROJECT_MEMBER, base.PARENT_OWNER_MEMBER)
and
neutron_policy.policy_or(base.ADMIN_OR_PROJECT_READER, base.PARENT_OWNER_MEMBER)
which is wrong because l3_conntrack_helpers don't have project_id and
in such case "OR_PROJECT_{MEMBER|READER}" fails. It should be only
something like:
base.ADMIN_OR_PARENT_OWNER_MEMBER
base.ADMIN_OR_PARENT_OWNER_READER
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2126759/+subscriptions
References