rule:shared is not respected in port/subnet create
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Slawek Kaplonski |
Bug Description
In neutron policy.json there are rules like:
"create_
"create_
"create_
but when I'm trying to create port with given subnet_id (but without ip_address) as regular user, I can't do that because policy.json forbid me that. I got an error like:
[09:53:12] vagrant@
HttpException: 403: Client Error for url: http://
Even if I changed first of those rules to be like:
"create_
it is still failing and I think that it's because rule:shared is related to network but during this POST call, target enforced by policy is port and port resource don't have shared field at all.
tags: | added: api |
Changed in neutron: | |
status: | New → Confirmed |
Changed in neutron: | |
assignee: | nobody → Akihiro Motoki (amotoki) |
Briefly speaking, "rule:shared" rule does not work in authz for POST/PUT/DELETE calls (as "before" hook). The implementation turns out completely wrong.
The following is the detail.
"rule:shared" rule is defined as 'field: networks: shared= True' [1] and this assumes that a target object contains 'shared' attribute. 'field' check is designed to use in attribute filtering as post API calls ('after' hook in policy_ enforcement. py in the pecan_wsgi implementation).
In case of the bug report, POST method is called and as of the timing of 'before' of the policy_enforcement hook the target object is a body of POST call and no actual network information is retrieved from the database.
[1] https:/ /github. com/openstack/ neutron/ blob/master/ neutron/ conf/policies/ base.py# L51-L54