Bug #1498790 “rbac: can't delete other tenant's port on own netw...” : Bugs : neutron

Kevin Benton (kevinbenton) on 2015-09-23

Changed in neutron:
assignee:	nobody → Kevin Benton (kevinbenton)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-09-23: Fix proposed to neutron (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/226665

Changed in neutron:
status:	New → In Progress

Armando Migliaccio (armando-migliaccio) on 2015-10-14

Changed in neutron:
importance:	Undecided → High
tags:	added: api

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2015-10-14:

#2

It'd be nice to show with actual CLI steps what how to repro this bug, you'd get a golden foil wrapped chocolate star.

Armando Migliaccio (armando-migliaccio) on 2015-11-20

tags:

added: access-control

Revision history for this message

ZongKai LI (zongkai) wrote on 2015-12-10:

#3

@Kevin Benton
I've seen you just marked https://bugs.launchpad.net/neutron/+bug/1524357 as duplicated to this one, I'm not sure why you did that.

For general operation, common user should get ports first, then delete ports. I reviewed your patch, I didn't find anything for get_ports/list operation, I don't think you recognized issue for list operation one is precondition for your patch.

I tried your patch just for port deleting, seems not work, getting "resource not found" as result, not sure if anything missing. I also tried my patch work with/without your patch, list operation both work, so it should be separated.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-13:

#4

Fix proposed to branch: master
Review: https://review.openstack.org/266877

Changed in neutron:
assignee:	Kevin Benton (kevinbenton) → ZongKai LI (lzklibj)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-13:

#5

Fix proposed to branch: master
Review: https://review.openstack.org/266900

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-14: Change abandoned on neutron (master)

#6

Change abandoned by ZongKai LI (<email address hidden>) on branch: master
Review: https://review.openstack.org/266877
Reason: Add into https://review.openstack.org/#/c/255285/4

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-14:

#7

Change abandoned by ZongKai LI (<email address hidden>) on branch: master
Review: https://review.openstack.org/266900
Reason: Add into https://review.openstack.org/#/c/255285/4

neo (524722778-8) on 2016-01-27

Changed in neutron:
status:	In Progress → Confirmed

OpenStack Infra (hudson-openstack) on 2016-02-11

Changed in neutron:
status:	Confirmed → In Progress

Armando Migliaccio (armando-migliaccio) on 2016-03-12

Changed in neutron:
milestone:	none → mitaka-rc1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-12:

#8

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/226665
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-15: Related fix proposed to neutron (master)

#9

Related fix proposed to branch: master
Review: https://review.openstack.org/292744

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-15: Fix merged to neutron (master)

#10

Reviewed: https://review.openstack.org/255285
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=67abf5f9f0e957150dd3b3b673094845810f9ea1
Submitter: Jenkins
Branch: master

commit 67abf5f9f0e957150dd3b3b673094845810f9ea1
Author: lzklibj <email address hidden>
Date: Wed Dec 9 21:52:05 2015 +0800

RBAC: Fix port query and deletion for network owner

Network owner should be able to get all ports and delete ports on
network as policy allowed. But current code fails to support this.

Current model query for Port is still based on tenant_id, it forgets
to check for network owner when context tenant_id is not port owner.

    For port_delete action, policy will generate checking rules for port
    attributes, such as:
        rule:delete_port:binding:vif_details
        rule:delete_port:binding:vif_type
    This doesn't make sense, only single policy rule "rule:delete_port"
    is enough to check.

This patch fixes this issue.

    Co-Authored-By: Kevin Benton <email address hidden>
    Change-Id: I55328cb43207654b9bb4cfb732923982d020ab0a
    Closes-Bug: #1498790

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-03-16: Fix included in openstack/neutron 8.0.0.0rc1

#11

This issue was fixed in the openstack/neutron 8.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-08: Related fix merged to neutron (master)

#12

Reviewed: https://review.openstack.org/292744
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=a374e52c4c9b2465b736d34aeac0ca5c92755944
Submitter: Jenkins
Branch: master

commit a374e52c4c9b2465b736d34aeac0ca5c92755944
Author: Kevin Benton <email address hidden>
Date: Mon Mar 14 01:59:37 2016 -0700

Add API test ensure tenant can't delete other ports

    Change I55328cb43207654b9bb4cfb732923982d020ab0a fixed
    the policy enforcement to ensure that tenants could
    delete ports on networks they didn't own. However, it
    required a change to the policy engine so this test
    adds a patch to ensure that it didn't break the normal
    case that prevents tenants from deleting other tenant's
    ports on networks they don't own.

Change-Id: I3118ec79c213c4eea4c5ca494e530c33189f6c59
Related-Bug: #1498790

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-13: Fix proposed to neutron (stable/liberty)

#13

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/316287

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-18: Fix merged to neutron (stable/liberty)

#14

Reviewed: https://review.openstack.org/316287
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c6f81881ef1fc0f0dce8f02568747ad216a450a7
Submitter: Jenkins
Branch: stable/liberty

commit c6f81881ef1fc0f0dce8f02568747ad216a450a7
Author: lzklibj <email address hidden>
Date: Wed Dec 9 21:52:05 2015 +0800

RBAC: Fix port query and deletion for network owner

Network owner should be able to get all ports and delete ports on
network as policy allowed. But current code fails to support this.

Current model query for Port is still based on tenant_id, it forgets
to check for network owner when context tenant_id is not port owner.

    For port_delete action, policy will generate checking rules for port
    attributes, such as:
        rule:delete_port:binding:vif_details
        rule:delete_port:binding:vif_type
    This doesn't make sense, only single policy rule "rule:delete_port"
    is enough to check.

This patch fixes this issue.

    Co-Authored-By: Kevin Benton <email address hidden>
    Change-Id: I55328cb43207654b9bb4cfb732923982d020ab0a
    Closes-Bug: #1498790
    (cherry picked from commit 67abf5f9f0e957150dd3b3b673094845810f9ea1)

tags:

added: in-stable-liberty

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-26: Related fix proposed to neutron (stable/liberty)

#15

Related fix proposed to branch: stable/liberty
Review: https://review.openstack.org/321789

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-06-01: Fix included in openstack/neutron 7.1.0

#16

This issue was fixed in the openstack/neutron 7.1.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-16: Related fix merged to neutron (stable/liberty)

#17

Reviewed: https://review.openstack.org/321789
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=48ea90326160fe54a605c621e32873fb2b8ef7bd
Submitter: Jenkins
Branch: stable/liberty

commit 48ea90326160fe54a605c621e32873fb2b8ef7bd
Author: Kevin Benton <email address hidden>
Date: Mon Mar 14 01:59:37 2016 -0700

Add API test ensure tenant can't delete other ports

    Change I55328cb43207654b9bb4cfb732923982d020ab0a fixed
    the policy enforcement to ensure that tenants could
    delete ports on networks they didn't own. However, it
    required a change to the policy engine so this test
    adds a patch to ensure that it didn't break the normal
    case that prevents tenants from deleting other tenant's
    ports on networks they don't own.

    Change-Id: I3118ec79c213c4eea4c5ca494e530c33189f6c59
    Related-Bug: #1498790
    (cherry picked from commit a374e52c4c9b2465b736d34aeac0ca5c92755944)

neutron

rbac: can't delete other tenant's port on own network if not admin

Bug Description

Duplicates of this bug

Other bug subscribers

Remote bug watches