neutron

With new RBAC enabled (enforce_scope and enforce_new_defaults): 'router:external' field is missing in network list response

Bug #1996836 reported by Ghanshyam Mann
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Slawek Kaplonski

Bug Description

I was testing the tempest with the new RBAC enabled which means in neutron.conf enable the below options:

[oslo_policy]
enforce_scope = True
enforce_new_defaults = True

https://zuul.opendev.org/t/openstack/build/e447385546c749f8b38bc4c411088dc1/log/controller/logs/etc/neutron/neutron_conf.txt#1928

Tempest external network tests doing the list network but 'router:external' field is missing in network list response

- https://zuul.opendev.org/t/openstack/build/e447385546c749f8b38bc4c411088dc1/log/job-output.txt#23754

policy defaults for 'router:external' seems fine
- https://github.com/openstack/neutron/blob/bf44e70db6219e7f3a45bd61b7dd14a31ae33bb0/neutron/conf/policies/network.py#L193

But it seems enforce_scope is restricting it somewhere, is this check in context causing not to return it?
- https://github.com/openstack/neutron-lib/blob/9ecd5995b6c598cee931087bf13fdd166f404034/neutron_lib/context.py#L125

We should not add system:all in neutron as system scope is not supported in neutron policy now.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/864809

Changed in neutron:
status: New → In Progress
Revision history for this message
Ghanshyam Mann (ghanshyammann) wrote :

Seems it did not fix the issue external network tests still failing - https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_63d/614484/10/check/tempest-full-enforce-scope-new-defaults/63d64d6/testr_results.html

Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
importance: Undecided → High
Slawek Kaplonski (slaweq)
Changed in neutron:
assignee: nobody → Slawek Kaplonski (slaweq)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/864809
Committed: https://opendev.org/openstack/neutron-lib/commit/cf494c8be10b36daf238fa12cf7c615656e6640d
Submitter: "Zuul (22348)"
Branch: master

commit cf494c8be10b36daf238fa12cf7c615656e6640d
Author: Ghanshyam Mann <email address hidden>
Date: Wed Nov 16 20:43:48 2022 -0600

    Do not set system scope on context

    If enforce_scope if true then system scope (system_scope:all)
    is set on context which is not valid now because neutron does not
    support the ssytem scope and everything is operated on project scope
    token.

    Related-bug: #1996836
    Change-Id: Ia0b3e39f70c30cd906ce57652f3da4c3c0adaaa8

Bernard Cafarelli (bcafarel)
tags: added: access-control
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/865032

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/865032
Committed: https://opendev.org/openstack/neutron/commit/0ef4f988254457ae460f192a334ccd6776688afb
Submitter: "Zuul (22348)"
Branch: master

commit 0ef4f988254457ae460f192a334ccd6776688afb
Author: Slawek Kaplonski <email address hidden>
Date: Fri Nov 18 16:04:01 2022 +0100

    Remove policy rule for get_network:router:external

    In legacy RBAC rules get of the network's router:external attribute was
    available for everyone (rule:regular_user). In new S-RBAC rules it was
    done to be available for admin users and for PROJECT_READER. This didn't
    really had the same result as router:external attribute wasn't visible
    for networks which belongs to other project.

    Networks which are set to be external are automatically shared with all
    other projects and each user from such project should be able to check
    every of visible networks if it is external or not.
    In overall, extra policy rule for "get_network:router:external" isn't
    really necessary and this patch removes it.

    Closes-Bug: #1996836
    Change-Id: I5fe4a0134c6ecf5cf28e2f5d59411134546c98b0

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (stable/zed)

Related fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron-lib/+/874133

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (stable/yoga)

Related fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron-lib/+/874385

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-lib (stable/xena)

Related fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron-lib/+/874392

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron/+/874398

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/874398
Committed: https://opendev.org/openstack/neutron/commit/aa8df53e7b973aed0522d3ece72703232d1747e1
Submitter: "Zuul (22348)"
Branch: stable/zed

commit aa8df53e7b973aed0522d3ece72703232d1747e1
Author: Slawek Kaplonski <email address hidden>
Date: Fri Nov 18 16:04:01 2022 +0100

    Remove policy rule for get_network:router:external

    In legacy RBAC rules get of the network's router:external attribute was
    available for everyone (rule:regular_user). In new S-RBAC rules it was
    done to be available for admin users and for PROJECT_READER. This didn't
    really had the same result as router:external attribute wasn't visible
    for networks which belongs to other project.

    Networks which are set to be external are automatically shared with all
    other projects and each user from such project should be able to check
    every of visible networks if it is external or not.
    In overall, extra policy rule for "get_network:router:external" isn't
    really necessary and this patch removes it.

    Closes-Bug: #1996836
    Change-Id: I5fe4a0134c6ecf5cf28e2f5d59411134546c98b0
    (cherry picked from commit 0ef4f988254457ae460f192a334ccd6776688afb)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.0.0.0rc1

This issue was fixed in the openstack/neutron 22.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.1.0

This issue was fixed in the openstack/neutron 21.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-lib (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/874133
Committed: https://opendev.org/openstack/neutron-lib/commit/7bc352a4900d8b8ca42b6d4d50a2d7e104a710b7
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 7bc352a4900d8b8ca42b6d4d50a2d7e104a710b7
Author: Ghanshyam Mann <email address hidden>
Date: Wed Nov 16 20:43:48 2022 -0600

    Do not set system scope on context

    If enforce_scope if true then system scope (system_scope:all)
    is set on context which is not valid now because neutron does not
    support the ssytem scope and everything is operated on project scope
    token.

    Related-bug: #1996836
    Change-Id: Ia0b3e39f70c30cd906ce57652f3da4c3c0adaaa8
    (cherry picked from commit cf494c8be10b36daf238fa12cf7c615656e6640d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-lib (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/874385
Committed: https://opendev.org/openstack/neutron-lib/commit/e0359848687518109e6ed826e402bf2589d3e58f
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit e0359848687518109e6ed826e402bf2589d3e58f
Author: Ghanshyam Mann <email address hidden>
Date: Wed Nov 16 20:43:48 2022 -0600

    Do not set system scope on context

    If enforce_scope if true then system scope (system_scope:all)
    is set on context which is not valid now because neutron does not
    support the ssytem scope and everything is operated on project scope
    token.

    Conflicts:
        neutron_lib/context.py

    Related-bug: #1996836
    Change-Id: Ia0b3e39f70c30cd906ce57652f3da4c3c0adaaa8
    (cherry picked from commit cf494c8be10b36daf238fa12cf7c615656e6640d)
    (cherry picked from commit 7bc352a4900d8b8ca42b6d4d50a2d7e104a710b7)

tags: added: in-stable-yoga
tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-lib (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/874392
Committed: https://opendev.org/openstack/neutron-lib/commit/3d093e6793541045cc371cc9d1de6300691f1f75
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 3d093e6793541045cc371cc9d1de6300691f1f75
Author: Ghanshyam Mann <email address hidden>
Date: Wed Nov 16 20:43:48 2022 -0600

    Do not set system scope on context

    If enforce_scope if true then system scope (system_scope:all)
    is set on context which is not valid now because neutron does not
    support the ssytem scope and everything is operated on project scope
    token.

    Conflicts:
        neutron_lib/context.py

    Related-bug: #1996836
    Change-Id: Ia0b3e39f70c30cd906ce57652f3da4c3c0adaaa8
    (cherry picked from commit cf494c8be10b36daf238fa12cf7c615656e6640d)
    (cherry picked from commit 7bc352a4900d8b8ca42b6d4d50a2d7e104a710b7)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.