In FWaaS v2 cross-tenant assignment of policies is inconsistent
Bug #1614680 reported by
Nate Johnston
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Won't Fix
|
Wishlist
|
Unassigned |
Bug Description
In the unit tests associated with the FWaaS v2 DB (neutron_
First, the logic tested in test_update_
Second, the logic tested in test_update_
Changed in neutron: | |
assignee: | nobody → lavanya sirigudi (lavanya553) |
Changed in neutron: | |
assignee: | Yushiro FURUKAWA (y-furukawa-2) → Reedip (reedip-banerjee) |
To post a comment you must log in.
Hi Nate Johnston
Please find the complete analysis Response Inline <Lavanya>
1. First, the logic tested in test_update_ firewall_ rule_associated _with_other_ tenant_ policy succeeds, but it should not.
<Lavanya> : Logic tested for test_update_ firewall_ rule_associated _with_other_ tenant_ policy succeeds (but the expected behavior of the Unit test case is : http conflict code) and this behavior is Correct with the current implementation and we will need modify the Unit test case Expected assert code aligned to the Code behavior i.e. Changing the response Code with "200".
Here is my detail analysis as per the code implementation:
As part of the policy.json firewall Rules as shown below we have the Rules set with either of the credentials ADMIN/OWNER or SHARED as shown below:
"create_ firewall_ rule": "", ---> Internally makes use of get_firewall_rule firewall_ rule": "rule:admin_ or_owner or rule:shared_ firewalls" , firewall_ rule": "rule:admin_ or_owner" ,
"get_
"update_
And the above credentials are enforced using the method as specified here using: _ENFORCER. enforce( ADMIN_CTX_ POLICY, credentials, credentials). And as per the Neutron-specs we have an audit workflow wherein the firewall_policy can be audited by the relevant entity that is authorized (and can be different from the tenants which create or use the firewall_policy). So when the User is set with ADMIN credentials it sets Audited Flag to false in all policies associated with the corresponding firewall rule and that's how the behavior of the test case is also aligned with the Response code of 200.
2. Second, the logic tested in test_update_ firewall_ group_with_ public_ fwp fails, but it should succeed.
<Lavanya> : Logic tested for test_update_ firewall_ group_with_ public_ fwp is currently failing and that we have currently analysed and looks like there are some handling which is currently missing from the Code and here is my detail analysis for the same:
In unit test case test_update_ firewall_ group_with_ public_ fwp,the testcase is failing with "no result found" exception in _get_by_id method where the query parameters for model are set.Here in _model_query_scope method it is looking for attribute "shared" instead of "public".In firewall_policies schema ,there is "shared" attribute but in "firewall_ policies_ v2" schema ,the attribute is "public".So we need to filter the firewall_ policies_ v2 model with "public" attribute to fetch the fwp2 created by tenant2.I have validated the same by adding the case for checking "public" attribute in _model_query_scope method and the testcase is getting executed successfully.
So we need to add the handling for "public attribute" as part of the current implementation.