neutron

List security groups by project admin may return 500

Bug #1934115 reported by Slawek Kaplonski on 2021-06-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	Medium	Slawek Kaplonski

Bug Description

When new RBAC policies and scopes are enforced in Neutron, there are system and project admins and project admin don't have access to resources from other projects.
Now, when project admin tries to list security groups for other project, empty list should be returned but as Neutron tries to ensure that default security group for that project is created it may happen that request will go to https://github.com/openstack/neutron/blob/25207ed9c0d929aa79270a118983c04f3476afc4/neutron/db/securitygroups_db.py#L144 and as it will return None for project admin, request will fail and error 500 will be returned.

In such case I think that context.elevated() should be used to get SG from DB. If user don't have permission to see it, it will be filtered out later by policy.

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-06-30: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/798821

Changed in neutron:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-04: Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/798821
Committed: https://opendev.org/openstack/neutron/commit/f6c3747caeac08df9d865312686be8eccb7f0472
Submitter: "Zuul (22348)"
Branch: master

commit f6c3747caeac08df9d865312686be8eccb7f0472
Author: Slawek Kaplonski <email address hidden>
Date: Wed Jun 30 11:28:36 2021 +0200

Use elevated context to get default SG from database

    With new system/project scopes it may happen that project admin
    will try to list security groups for different project and during
    that call Neutron will ensure that default security group is created.

    In such case elevated context needs to be used to get SG object from
    the database otherwise, SG will not be found and error 500 will be
    returned through the API.

    Use of elevated context is fine here as if user don't have access to
    the SG, it will be filtered out by policy mechanism and it will not
    be returned through API.

Closes-Bug: #1934115
Change-Id: I0ca07d1a1aaf05c1992aea9e29575580d7933324

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-04: Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/803439

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-08-26: Fix merged to neutron (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/803439
Committed: https://opendev.org/openstack/neutron/commit/4b8ebdef8d545dd5df7e5765eccc82b9136c92b0
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 4b8ebdef8d545dd5df7e5765eccc82b9136c92b0
Author: Slawek Kaplonski <email address hidden>
Date: Wed Jun 30 11:28:36 2021 +0200

Use elevated context to get default SG from database

    In such case elevated context needs to be used to get SG object from
    the database otherwise, SG will not be found and error 500 will be
    returned through the API.

    Use of elevated context is fine here as if user don't have access to
    the SG, it will be filtered out by policy mechanism and it will not
    be returned through API.

    Closes-Bug: #1934115
    Change-Id: I0ca07d1a1aaf05c1992aea9e29575580d7933324
    (cherry picked from commit f6c3747caeac08df9d865312686be8eccb7f0472)