neutron

Incorrect policy check for update/create port fixed_ips ip_address attribute

Bug #1779225 reported by Cliff Parsons on 2018-06-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Expired	Undecided	Unassigned

Bug Description

The two Patrole test cases below have helped me identify that Neutron is
incorrectly performing the policy check for creating/updating the
fixed ip_address on a port.

patrole_tempest_plugin.tests.api.network.test_ports_rbac.PortsRbacTest.
test_create_port_fixed_ips_ip_address
patrole_tempest_plugin.tests.api.network.test_ports_rbac.PortsRbacTest.
test_update_port_fixed_ips_ip_address

The policy.json file has two rules for the fixed IP addresses:
    "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or \
                                         rule:admin_or_network_owner",
    "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or \
                                         rule:admin_or_network_owner",

The problem is that these two rules are not enforced within the Neutron
code. Instead, the older "create_port:fixed_ips" and "update_port:fixed_ips"
rules are enforced; these older rules are no longer in the policy.json file.

Tags:

Armando Migliaccio (armando-migliaccio) on 2018-07-01

tags:	added: access-control
tags:	added: ap
tags:	added: api removed: ap

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2018-07-01:

Thanks for reporting the issue, that said I am struggling to understand what you mean. What older rules are you referring to? [1,2] are indeed in master. Can you point to a failure of the Patrole test? We probably do not have a Tempest API test that covers that.

[1] https://github.com/openstack/neutron/blob/master/etc/policy.json#L76
[2] https://github.com/openstack/neutron/blob/master/etc/policy.json#L92

Changed in neutron:
status:	New → Incomplete

Revision history for this message

Cliff Parsons (cliffhparsons) wrote on 2018-07-02:

About a year ago, the following change below was merged:
https://github.com/openstack/neutron/commit/8236e83deced9af84ae0e5128c76acfa753093cc

This commit changed the existing "create_port:fixed_ips" and "update_port:fixed_ips" rules (these are what I referred to as the "older rules" above) to what we have now, "create_port:fixed_ips:ip_address" and "update_port:fixed_ips:ip_address".

If you execute the two test cases mentioned above, and keep an eye on what rules are evaluated by the Neutron policy enforcement code, you will see that the older rules are still being evaluated, not the newer ones. Note that I had to add some debug logging in Neutron's policy.py to be able to see this more clearly.

The test cases do not fail with the default policy.json file in place in master, but like I mentioned before, the two new policy rules are not being evaluated as they should be.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-09-01:

[Expired for neutron because there has been no activity for 60 days.]

Changed in neutron:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.