Policy rules related to "sub parameters" doesn't work properly

Bug #1822105 reported by Slawek Kaplonski on 2019-03-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Medium
Slawek Kaplonski

Bug Description

We have for example rules like:

"create_port:fixed_ips:subnet_id" in neutron's policy,

Ufortunatelly in https://github.com/openstack/neutron/blob/97376032b4c19ac6a479b524ec6a04460b79868b/neutron/policy.py#L192 check rule will always only have match like create_port:fixed_ip and will not include anything else.
So later it will not match this rule in enforcer.

Fix proposed to branch: master
Review: https://review.openstack.org/648532

Changed in neutron:
assignee: nobody → Slawek Kaplonski (slaweq)
status: New → In Progress
Bence Romsics (bence-romsics) wrote :

Hi Slawek, Do I understand correctly this is *not* a security problem? 3-component policy rules are ignored without your patch, right? So we end up assigning less rights to somebody than intended, not more.

Changed in neutron:
importance: Undecided → Medium
Slawek Kaplonski (slaweq) wrote :

Hi Bence,

Yes. My understanding of this is exactly like Yours :) IMO it isn't security issue

Reviewed: https://review.opendev.org/648532
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=9318fb8bb930a65cb0b388fd4a40fc83183d9199
Submitter: Zuul
Branch: master

commit 9318fb8bb930a65cb0b388fd4a40fc83183d9199
Author: Slawek Kaplonski <email address hidden>
Date: Thu Mar 28 21:36:11 2019 +0100

    Fix creating policy rules from subattributes.

    In case of policy rule checks for rules like e.g.
    "create_port:fixed_ips:subnet" couldn't be created to be
    passed to policy enforcer because policy module could only
    create rule checks for subattributes which are dict types.

    With this patch checks for such rules can be created also for
    attributes which are list of dicts, like e.g. fixed_ips in port
    resource.

    Change-Id: I02fffe77f57a513d2362df78885d327042bb8095
    Closes-Bug: #1822105

Changed in neutron:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/657920
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=83231738ea4ec0540606b7219538bd9efbeaabb3
Submitter: Zuul
Branch: stable/stein

commit 83231738ea4ec0540606b7219538bd9efbeaabb3
Author: Slawek Kaplonski <email address hidden>
Date: Thu Mar 28 21:36:11 2019 +0100

    Fix creating policy rules from subattributes.

    In case of policy rule checks for rules like e.g.
    "create_port:fixed_ips:subnet" couldn't be created to be
    passed to policy enforcer because policy module could only
    create rule checks for subattributes which are dict types.

    With this patch checks for such rules can be created also for
    attributes which are list of dicts, like e.g. fixed_ips in port
    resource.

    Change-Id: I02fffe77f57a513d2362df78885d327042bb8095
    Closes-Bug: #1822105
    (cherry picked from commit 9318fb8bb930a65cb0b388fd4a40fc83183d9199)

tags: added: in-stable-stein

Reviewed: https://review.opendev.org/657937
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=8e777c681f39a24b2385f57b8c2748c0c4648db6
Submitter: Zuul
Branch: stable/rocky

commit 8e777c681f39a24b2385f57b8c2748c0c4648db6
Author: Slawek Kaplonski <email address hidden>
Date: Thu Mar 28 21:36:11 2019 +0100

    Fix creating policy rules from subattributes.

    In case of policy rule checks for rules like e.g.
    "create_port:fixed_ips:subnet" couldn't be created to be
    passed to policy enforcer because policy module could only
    create rule checks for subattributes which are dict types.

    With this patch checks for such rules can be created also for
    attributes which are list of dicts, like e.g. fixed_ips in port
    resource.

    Conflicts:
        neutron/conf/policies/port.py

    Change-Id: I02fffe77f57a513d2362df78885d327042bb8095
    Closes-Bug: #1822105
    (cherry picked from commit 9318fb8bb930a65cb0b388fd4a40fc83183d9199)
    (cherry picked from commit a238b1bed6e8ee3a33cd7a7116501ebb3d852b44)

tags: added: in-stable-rocky
tags: added: in-stable-queens

Reviewed: https://review.opendev.org/657942
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=c3ee286a5511c48ebba5e0dbbc379d2b2e7f23e0
Submitter: Zuul
Branch: stable/queens

commit c3ee286a5511c48ebba5e0dbbc379d2b2e7f23e0
Author: Slawek Kaplonski <email address hidden>
Date: Thu Mar 28 21:36:11 2019 +0100

    Fix creating policy rules from subattributes.

    In case of policy rule checks for rules like e.g.
    "create_port:fixed_ips:subnet" couldn't be created to be
    passed to policy enforcer because policy module could only
    create rule checks for subattributes which are dict types.

    With this patch checks for such rules can be created also for
    attributes which are list of dicts, like e.g. fixed_ips in port
    resource.

    Conflicts:
        etc/policy.json
        neutron/tests/etc/policy.json

    Change-Id: I02fffe77f57a513d2362df78885d327042bb8095
    Closes-Bug: #1822105
    (cherry picked from commit 9318fb8bb930a65cb0b388fd4a40fc83183d9199)
    (cherry picked from commit a238b1bed6e8ee3a33cd7a7116501ebb3d852b44)
    (cherry picked from commit 73bbfa4315e9287313810f2967a31fab2d5fa51a)

This issue was fixed in the openstack/neutron 13.0.4 release.

This issue was fixed in the openstack/neutron 14.0.2 release.

This issue was fixed in the openstack/neutron 12.1.0 release.

This issue was fixed in the openstack/neutron 15.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers