Neutron doesn't honor system-scope
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Slawek Kaplonski |
Bug Description
Neutron recently made a bunch of great progress evolving policy check strings to include default role support (admin, member, and reader) and system-scope [0]. Please reference keystone's default role and persona documentation for a primer on authorization patterns we're trying to apply to neutron [1]
Despite these improved policies, neutron needs some additional work to understand system scope.
I was able to use a system-reader persona (someone with the `reader` role assigned on the system) to list networks in neutron. But, the response didn't contain all networks. It only included public and shared networks.
╭─ubuntu@
╰─➤ $ openstack --os-cloud system-reader network list
+------
| ID | Name | Subnets |
+------
| 293518cb-
| 3eae4573-
+------
╭─ubuntu@
╰─➤ $ openstack --os-cloud devstack-
+------
| ID | Name | Subnets |
+------
| 293518cb-
| 3eae4573-
| 61238010-
+------
╭─ubuntu@
╰─➤ $ openstack --os-cloud devstack-admin network list
+------
| ID | Name | Subnets |
+------
| 293518cb-
| 3eae4573-
| 61238010-
+------
I have the following options set in my neutron.conf:
[oslo_policy]
enforce_
enforce_scope = True
policy_file = /etc/neutron/
Which should configure neutron to enforce scopes and new default policies allowing things like:
- system-admins to view all resources
- system-admins to create system-specific resources (public networks)
- system-readers to view all resources across projects and system-specific resources
- project-admins to view only networks available to their project
I started tracing through the neutron code and noticed it's building database queries using the request context object [2], which might leading to why system-readers can't view all networks in a deployment.
This bug is likely something that affects more that just network resources, but I haven't done an exhaustive investigation, yet.
Hoping to get some feedback from folks more familiar with Neutron so that we can plan a path forward for properly consuming system-scope.
[0] https:/
[1] https:/
[2] https:/
description: | updated |
tags: | added: api |
Changed in neutron: | |
status: | New → Confirmed |
importance: | Undecided → High |
milestone: | none → wallaby-rc1 |
Changed in neutron: | |
status: | Fix Committed → Fix Released |
Patch proposed https:/ /review. opendev. org/c/openstack /neutron- lib/+/780204