RBAC: regression of port create/update by shared nw owners

Bug #1824107 reported by Flavien on 2019-04-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Undecided
Unassigned

Bug Description

Related to https://bugs.launchpad.net/neutron/+bug/1543756.

This fix was released in queens, but the following feature (https://review.openstack.org/#/c/577471/) re-introduced the bug on stable/rocky.

With non-admin user, ports creation/update with subnet ID on a shared network does not work anymore.

ex:
## Network RBAC
$ openstack network rbac show f3605376-2fbb-4bfe-b412-b053870c6d56
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| action | access_as_shared |
| id | f3605376-2fbb-4bfe-b412-b053870c6d56 |
| name | None |
| object_id | 07386598-add7-4246-90a4-0294e85446fa |
| object_type | network |
| project_id | 0631a4dbf7c949f1878c4f4a6dbf1d32 |
| target_project_id | * |
+-------------------+--------------------------------------+
## Test port creation
$ openstack port create --network mynet --fixed-ip subnet=mysubnet testport
HttpException: 403: Client Error for url: http://openstack.example.org/v2.0/ports, {"NeutronError": {"message": "(rule:create_port and rule:create_port:fixed_ips) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}

Removing the line '"create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner",' from policy.json, everything works well. (same for 'update_port:fixed_ip' rule) fixes the rbac issues.

It seems the bug is also on stein (I did not test, I presume): https://github.com/openstack/neutron/blob/master/neutron/conf/policies/port.py#L69 since policies has been included on code.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers