Neutron doesn't honor system-scope

Bug #1918506 reported by Lance Bragstad on 2021-03-10
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
High
Slawek Kaplonski

Bug Description

Neutron recently made a bunch of great progress evolving policy check strings to include default role support (admin, member, and reader) and system-scope [0]. Please reference keystone's default role and persona documentation for a primer on authorization patterns we're trying to apply to neutron [1]

Despite these improved policies, neutron needs some additional work to understand system scope.

I was able to use a system-reader persona (someone with the `reader` role assigned on the system) to list networks in neutron. But, the response didn't contain all networks. It only included public and shared networks.

╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud system-reader network list
+--------------------------------------+--------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+--------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
+--------------------------------------+--------+----------------------------------------------------------------------------+
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud devstack-system-admin network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
| 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
+--------------------------------------+---------+----------------------------------------------------------------------------+
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud devstack-admin network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
| 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
+--------------------------------------+---------+----------------------------------------------------------------------------+

I have the following options set in my neutron.conf:

[oslo_policy]
enforce_new_defaults = True
enforce_scope = True
policy_file = /etc/neutron/policy.json

Which should configure neutron to enforce scopes and new default policies allowing things like:

- system-admins to view all resources
- system-admins to create system-specific resources (public networks)
- system-readers to view all resources across projects and system-specific resources
- project-admins to view only networks available to their project

I started tracing through the neutron code and noticed it's building database queries using the request context object [2], which might leading to why system-readers can't view all networks in a deployment.

This bug is likely something that affects more that just network resources, but I haven't done an exhaustive investigation, yet.

Hoping to get some feedback from folks more familiar with Neutron so that we can plan a path forward for properly consuming system-scope.

[0] https://review.opendev.org/q/project:openstack/neutron+status:merged+topic:secure-rbac
[1] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
[2] https://opendev.org/openstack/neutron-lib/src/commit/02e070fe099651ad5abea87819c7d3e729885130/neutron_lib/db/utils.py

Tags: api Edit Tag help
description: updated
tags: added: api
Changed in neutron:
status: New → Confirmed
importance: Undecided → High
milestone: none → wallaby-rc1
Slawek Kaplonski (slaweq) wrote :
Changed in neutron:
assignee: nobody → Slawek Kaplonski (slaweq)
status: Confirmed → In Progress
Slawek Kaplonski (slaweq) wrote :
Changed in neutron:
status: In Progress → Fix Committed

This issue was fixed in the openstack/neutron-lib 2.10.0 release.

Changed in neutron:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers