neutron

[SRBAC] API policies for get_policy_*_rule are wrong

Bug #2018727 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Slawek Kaplonski

Bug Description

With new defaults policies for get QoS rules are set to ADMIN_OR_PROJECT_READER but that's wrong as rules don't have owner. Those API rules should be based on the parent owner (qos_policy) always.

Those tests are skipped currently in our CI job neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults due to other bug (https://bugs.launchpad.net/neutron/+bug/2018585).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/882688

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/882818

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/882688
Committed: https://opendev.org/openstack/neutron/commit/be0dc09d52efd5e7236a33be552edb6644371cd0
Submitter: "Zuul (22348)"
Branch: master

commit be0dc09d52efd5e7236a33be552edb6644371cd0
Author: Slawek Kaplonski <email address hidden>
Date: Tue May 9 12:28:03 2023 +0200

    [S-RBAC] Fix new policies for get QoS rules APIs

    During transition to the new secure RBAC API policies, we made mistake
    with policies for QoS rules by defining them to be available for
    ADMIN_OR_PROJECT_READER. This can't be like that as QoS rules don't have
    tenant_id attribute and belongs always to the owner of the QoS policy.

    To fix that, this patch introduces new rules:
    ADMIN_OR_PARENT_OWNER_READER
    ADMIN_OR_PARENT_OWNER_MEMBER

    and uses those in the QoS rules APIs.

    Closes-Bug: #2018727
    Change-Id: I522aeab5094b3f4854303d5e18f3abf6130fb33c

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/882818
Committed: https://opendev.org/openstack/neutron-tempest-plugin/commit/fdfb4741f60a0309939f82f7aa44a11c5f2bbd31
Submitter: "Zuul (22348)"
Branch: master

commit fdfb4741f60a0309939f82f7aa44a11c5f2bbd31
Author: Slawek Kaplonski <email address hidden>
Date: Wed May 10 12:48:49 2023 +0200

    [S-RBAC] Update DSCP marking rule create API test

    In the test_qos_dscp_create_and_update API test, qos policy was made as
    admin user (which is correct) but was also owned by admin project. And
    later, to check if DSCP marking rule was created in that policy
    properly, regular client is used instead.
    The problem is that with new S-RBAC API policies, rules are visible to
    owners of the policy, not to all users. And due to that this test is
    failing with new S-RBAC policies enforced.

    This patch fixes it by changing owner of the qos policy to the regular
    client's project.

    Related-Bug: #2018727
    Change-Id: Iadf69c167cdda0017084e482a58116520a1ea80f

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron/+/882958

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron/+/882961

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/882961
Committed: https://opendev.org/openstack/neutron/commit/9177e90db480489465d1a6cb1a50d62d959dcd7a
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 9177e90db480489465d1a6cb1a50d62d959dcd7a
Author: Slawek Kaplonski <email address hidden>
Date: Tue May 9 12:28:03 2023 +0200

    [S-RBAC] Fix new policies for get QoS rules APIs

    During transition to the new secure RBAC API policies, we made mistake
    with policies for QoS rules by defining them to be available for
    ADMIN_OR_PROJECT_READER. This can't be like that as QoS rules don't have
    tenant_id attribute and belongs always to the owner of the QoS policy.

    To fix that, this patch introduces new rules:
    ADMIN_OR_PARENT_OWNER_READER
    ADMIN_OR_PARENT_OWNER_MEMBER

    and uses those in the QoS rules APIs.

    Closes-Bug: #2018727
    Change-Id: I522aeab5094b3f4854303d5e18f3abf6130fb33c
    (cherry picked from commit be0dc09d52efd5e7236a33be552edb6644371cd0)
    (cherry picked from commit 572cc2d43e669797a9d03d2e9daf174dfe8566ff)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/882958
Committed: https://opendev.org/openstack/neutron/commit/572cc2d43e669797a9d03d2e9daf174dfe8566ff
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 572cc2d43e669797a9d03d2e9daf174dfe8566ff
Author: Slawek Kaplonski <email address hidden>
Date: Tue May 9 12:28:03 2023 +0200

    [S-RBAC] Fix new policies for get QoS rules APIs

    During transition to the new secure RBAC API policies, we made mistake
    with policies for QoS rules by defining them to be available for
    ADMIN_OR_PROJECT_READER. This can't be like that as QoS rules don't have
    tenant_id attribute and belongs always to the owner of the QoS policy.

    To fix that, this patch introduces new rules:
    ADMIN_OR_PARENT_OWNER_READER
    ADMIN_OR_PARENT_OWNER_MEMBER

    and uses those in the QoS rules APIs.

    Closes-Bug: #2018727
    Change-Id: I522aeab5094b3f4854303d5e18f3abf6130fb33c
    (cherry picked from commit be0dc09d52efd5e7236a33be552edb6644371cd0)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.0.1

This issue was fixed in the openstack/neutron 22.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.1.1

This issue was fixed in the openstack/neutron 21.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 23.0.0.0b3

This issue was fixed in the openstack/neutron 23.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.