rule:shared is not respected in port/subnet create

Briefly speaking, "rule:shared" rule does not work in authz for POST/PUT/DELETE calls (as "before" hook). The implementation turns out completely wrong.

The following is the detail.

"rule:shared" rule is defined as 'field:networks:shared=True' [1] and this assumes that a target object contains 'shared' attribute. 'field' check is designed to use in attribute filtering as post API calls ('after' hook in policy_enforcement.py in the pecan_wsgi implementation).

In case of the bug report, POST method is called and as of the timing of 'before' of the policy_enforcement hook the target object is a body of POST call and no actual network information is retrieved from the database.

[1] https://github.com/openstack/neutron/blob/master/neutron/conf/policies/base.py#L51-L54

When I ran "openstack port create --fixed-ip subnet=d8080cf0-f204-4e49-b20a-522bee4e8b72 --network shared-net p1", I saw the following error and that is what I expect.

Dec 19 00:53:53 s26 neutron-server[2008]: DEBUG neutron.policy [None req-d6eb75d1-6692-42d4-ad6f-e1b5c82d8bbf demo demo] Unable to find requested field: shared in target: {'dns_name': '', 'binding:host_id': <neutron_lib.constants.Sentinel object at 0x7f6c12f7fed0>, u'name': u'p1', 'allowed_address_pairs': <neutron_lib.constants.Sentinel object at 0x7f6c12f7fed0>, u'admin_state_up': True, u'network_id': u'e6d2f9a6-75a3-4efe-9cd3-34c907664686', 'tenant_id': u'5eb325aa0e62400a94770d515b569cb9', 'extra_dhcp_opts': None, 'dns_domain': '', 'binding:vnic_type': 'normal', 'device_owner': '', 'qos_policy_id': None, 'device_id': '', 'mac_address': <neutron_lib.constants.Sentinel object at 0x7f6c12f7fed0>, 'binding:profile': <neutron_lib.constants.Sentinel object at 0x7f6c12f7fed0>, 'port_security_enabled': <neutron_lib.constants.Sentinel object at 0x7f6c12f7fed0>, 'project_id': u'5eb325aa0e62400a94770d515b569cb9', u'fixed_ips': [{u'subnet_id': u'd8080cf0-f204-4e49-b20a-522bee4e8b72'}], 'network:tenant_id': u'c43e91ced0a44eca9f4ba0c041da870b', 'security_groups': <neutron_lib.constants.Sentinel object at 0x7f6c12f7fed0>, 'description': ''} {{(pid=2035) __call__ /opt/stack/neutron/neutron/policy.py:347}}

I am exploring how to fix this.

My current idea is to implement the logic in the DB plugin. before() in policy_enforcement hook should focus on evaluating a request body and it should trigger database accesses. I believe a logic which depends on information stored in the neutron server needs to be placed in the basic db plugin. (The DB plugin provides the logic of API server which depends on data store.)

Fix proposed to branch: master
Review: https://review.openstack.org/652636

Reviewed: https://review.opendev.org/652636
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=039691220817db3519149b5e2fd2607365f3d8af
Submitter: Zuul
Branch: master

commit 039691220817db3519149b5e2fd2607365f3d8af
Author: Slawek Kaplonski <email address hidden>
Date: Mon Apr 15 14:17:27 2019 +0200

    Fix handling of network:shared field in policy module

    Some policy rules e.g. for create_port are using rule "network:shared"
    in which "shared" field is related to network resource instead of
    port directly.
    Because of that, "shared" was missing from "target" in policy
    enforce module thus validation wasn't working properly for such rule.

    This patch fixes it by adding to FieldCheck checker possibility to
    get network object and use its "shared" field to validate policy.

    Change-Id: I56c99883fce40c37a5ee26e6e661c0cc0783c42f
    Closes-Bug: #1808112

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/657921

Fix proposed to branch: stable/rocky
Review: https://review.opendev.org/657938

Fix proposed to branch: stable/queens
Review: https://review.opendev.org/657943

Reviewed: https://review.opendev.org/657921
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3ed45a4584f9518dea6d55c1bc493ffe04d60637
Submitter: Zuul
Branch: stable/stein

commit 3ed45a4584f9518dea6d55c1bc493ffe04d60637
Author: Slawek Kaplonski <email address hidden>
Date: Mon Apr 15 14:17:27 2019 +0200

    Fix handling of network:shared field in policy module

    Some policy rules e.g. for create_port are using rule "network:shared"
    in which "shared" field is related to network resource instead of
    port directly.
    Because of that, "shared" was missing from "target" in policy
    enforce module thus validation wasn't working properly for such rule.

    This patch fixes it by adding to FieldCheck checker possibility to
    get network object and use its "shared" field to validate policy.

    Conflicts:
        neutron/tests/unit/test_policy.py

    Change-Id: I56c99883fce40c37a5ee26e6e661c0cc0783c42f
    Closes-Bug: #1808112
    (cherry picked from commit 039691220817db3519149b5e2fd2607365f3d8af)

Reviewed: https://review.opendev.org/657938
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=0bac0760565b444ec6c2fc383bb5e147e83d9e90
Submitter: Zuul
Branch: stable/rocky

commit 0bac0760565b444ec6c2fc383bb5e147e83d9e90
Author: Slawek Kaplonski <email address hidden>
Date: Mon Apr 15 14:17:27 2019 +0200

    Fix handling of network:shared field in policy module

    Some policy rules e.g. for create_port are using rule "network:shared"
    in which "shared" field is related to network resource instead of
    port directly.
    Because of that, "shared" was missing from "target" in policy
    enforce module thus validation wasn't working properly for such rule.

    This patch fixes it by adding to FieldCheck checker possibility to
    get network object and use its "shared" field to validate policy.

    Conflicts:
        neutron/tests/unit/test_policy.py

    Change-Id: I56c99883fce40c37a5ee26e6e661c0cc0783c42f
    Closes-Bug: #1808112
    (cherry picked from commit 039691220817db3519149b5e2fd2607365f3d8af)

Reviewed: https://review.opendev.org/657943
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d02b0bef2147c8f1461853ccf1c63e099dc0e927
Submitter: Zuul
Branch: stable/queens

commit d02b0bef2147c8f1461853ccf1c63e099dc0e927
Author: Slawek Kaplonski <email address hidden>
Date: Mon Apr 15 14:17:27 2019 +0200

    Fix handling of network:shared field in policy module

    Some policy rules e.g. for create_port are using rule "network:shared"
    in which "shared" field is related to network resource instead of
    port directly.
    Because of that, "shared" was missing from "target" in policy
    enforce module thus validation wasn't working properly for such rule.

    This patch fixes it by adding to FieldCheck checker possibility to
    get network object and use its "shared" field to validate policy.

    Conflicts:
        neutron/tests/unit/test_policy.py

    Change-Id: I56c99883fce40c37a5ee26e6e661c0cc0783c42f
    Closes-Bug: #1808112
    (cherry picked from commit 039691220817db3519149b5e2fd2607365f3d8af)
    (cherry picked from commit fcfd46b231ef3fd379908e1035e201be19babe52)

This issue was fixed in the openstack/neutron 13.0.4 release.

This issue was fixed in the openstack/neutron 14.0.2 release.

This issue was fixed in the openstack/neutron 12.1.0 release.

This issue was fixed in the openstack/neutron 15.0.0.0b1 development milestone.