FWaaS - incorrect behavior in creating firewall with unavailable firewall_policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Yushiro FURUKAWA |
Bug Description
When creating firewall with following conditions, current neutron behaves as follows:
[How to reproduce]
step1. Create firewall-policy with following attributes(
=> shared : false
=> tenant_id : admin-tenant
ex.
$ source openrc admin admin
$ neutron firewall-
step2. Create firewall with following attributes(execute REST-API):
=> tenant_id : general-user-tenant
=> firewall_policy_id : specify the id which is created at step1.
ex.
$ source openrc demo demo
$ export TOKEN=`keystone token-get | grep ' id ' | get_field 2`
$ curl -i -X POST -d '{"firewall"
[Response]
{
"NeutronError": {
"message": "Firewall Policy 05b28301-
"type": "FirewallPolicy
"detail": ""
}
}
Response is the above. That is, general-user doesn't have the authorizations to refer
the firewall-policy exists on admin tenant.
BUT, the firewall is created at general-
[Status]
$ source openrc demo demo
$ neutron firewall-show firewall-demo
+------
| Field | Value |
+------
| admin_state_up | True |
| description | |
| firewall_policy_id | 05b28301-
| id | cdfbbcb5-
| name | firewall-demo |
| router_ids | |
| status | PENDING_CREATE |
| tenant_id | 8241aeed3bf8448
+------
And that, only the user who has the access authorizations into the firewall_policy can delete this resource.
In the above case, the general user can not delete the firewall resource.
Changed in neutron: | |
assignee: | nobody → Yushiro FURUKAWA (y-furukawa-2) |
status: | New → In Progress |
tags: | added: fwaas |
summary: |
- incorrect behavior in creating firewall with unavailable firewall_policy + FWaaS - incorrect behavior in creating firewall with unavailable + firewall_policy |
description: | updated |
description: | updated |
Changed in neutron: | |
importance: | Undecided → Medium |
milestone: | none → liberty-1 |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | liberty-1 → 7.0.0 |
Fix proposed to branch: master /review. openstack. org/147396
Review: https:/