Horizon network port create panel shows "port security" checkbox that breaks port creation for non-admin users

Bug #1841050 reported by Radomir Dopieralski
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
In Progress
Undecided
Radomir Dopieralski

Bug Description

When creating a network port, we display the "port security" checkbox even when the user has no right to set it. That results in a policy error when the form is submitted.

We should be checking for the user's rights, and not display that checkbox (and not pass the related parameter in the API call) when those are insufficient for setting it.

tags: added: neutron
Changed in horizon:
assignee: nobody → Radomir Dopieralski (deshipu)
Ivan Kolodyazhny (e0ne)
Changed in horizon:
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/810224

Changed in horizon:
status: Confirmed → In Progress
Revision history for this message
Vishal Manchanda (vishalmanchanda) wrote :

@radomir hi, with which user do you face this issue, I try to create/update Network Port for Non-admin users with reader/service roles but I am always able to create Network Port without any issues. Please find below the steps I performed:

1. Created a User Identity->Create User(with Primary Project as demo and Role with reader field)
2. Login with the above user.
3. Project->Network->Ports-> Create Port

Could You please add some steps to reproduce this issue so I can test your patch?

Revision history for this message
Radomir Dopieralski (deshipu) wrote :

The customer has created a custom Neutron policy, in which he explicitly disabled the network:create_port:port_security_enabled and network:update_port:port_security_enabled rights for an user, while allowing the other rights. The issue does not exist with the default policy files.

Revision history for this message
Sam Morrison (sorrison) wrote :

We have this issue with the default policy, the issue for us is if the network is a shared network owned by an admin and the port within that network is owned by the user then the user isn't allowed to update port security.

Policy is

"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",

One way to help mitigate this is to not send neutron the port_security_enabled attribute if this attribute is not being changed by the user

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/819027

Revision history for this message
Sam Morrison (sorrison) wrote :

Somehow I missed that there is already a proposed fix for this. Feel free to ignore my approach if previous one is better, mine didn't handle all scenarios

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/819027
Committed: https://opendev.org/openstack/horizon/commit/d059b0bc40f04befc60657cd6504cc5711934b90
Submitter: "Zuul (22348)"
Branch: master

commit d059b0bc40f04befc60657cd6504cc5711934b90
Author: Sam Morrison <email address hidden>
Date: Tue Nov 23 13:56:23 2021 +1100

    Don't try and update port security if its not changing

    Default policy in neutron doesn't allow port security to change
    if network not owned by the user. To allow users to update other
    attributes of a port don't send port_security_enabled attribute
    to neutron unless it changes.

    If user tries to change port security on a port in a network not
    owned by them it will still error as it does now.

    Partial-Bug: #1841050

    Change-Id: I301336103cabc3f1cab3ee72d7743385ff1a10d6

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/horizon/+/859153

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/horizon/+/859154

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/horizon/+/859155

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/horizon/+/859156

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/horizon/+/859157

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/horizon/+/859158

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/horizon/+/859159

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/859153
Committed: https://opendev.org/openstack/horizon/commit/e79aa87e111a685c006997c0a903123b9ed035de
Submitter: "Zuul (22348)"
Branch: stable/zed

commit e79aa87e111a685c006997c0a903123b9ed035de
Author: Sam Morrison <email address hidden>
Date: Tue Nov 23 13:56:23 2021 +1100

    Don't try and update port security if its not changing

    Default policy in neutron doesn't allow port security to change
    if network not owned by the user. To allow users to update other
    attributes of a port don't send port_security_enabled attribute
    to neutron unless it changes.

    If user tries to change port security on a port in a network not
    owned by them it will still error as it does now.

    Partial-Bug: #1841050

    Change-Id: I301336103cabc3f1cab3ee72d7743385ff1a10d6
    (cherry picked from commit d059b0bc40f04befc60657cd6504cc5711934b90)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/859154
Committed: https://opendev.org/openstack/horizon/commit/618e44469643ca32222fb5883502582897eeafba
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 618e44469643ca32222fb5883502582897eeafba
Author: Sam Morrison <email address hidden>
Date: Tue Nov 23 13:56:23 2021 +1100

    Don't try and update port security if its not changing

    Default policy in neutron doesn't allow port security to change
    if network not owned by the user. To allow users to update other
    attributes of a port don't send port_security_enabled attribute
    to neutron unless it changes.

    If user tries to change port security on a port in a network not
    owned by them it will still error as it does now.

    Partial-Bug: #1841050

    Change-Id: I301336103cabc3f1cab3ee72d7743385ff1a10d6
    (cherry picked from commit d059b0bc40f04befc60657cd6504cc5711934b90)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/859156
Committed: https://opendev.org/openstack/horizon/commit/f3e917ea8e817c4897742a08ce9fa93770548252
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit f3e917ea8e817c4897742a08ce9fa93770548252
Author: Sam Morrison <email address hidden>
Date: Tue Nov 23 13:56:23 2021 +1100

    Don't try and update port security if its not changing

    Default policy in neutron doesn't allow port security to change
    if network not owned by the user. To allow users to update other
    attributes of a port don't send port_security_enabled attribute
    to neutron unless it changes.

    If user tries to change port security on a port in a network not
    owned by them it will still error as it does now.

    Partial-Bug: #1841050

    Change-Id: I301336103cabc3f1cab3ee72d7743385ff1a10d6
    (cherry picked from commit d059b0bc40f04befc60657cd6504cc5711934b90)

tags: added: in-stable-wallaby
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers