neutron

Neutron doesn't honor system-scope

Bug #1918506 reported by Lance Bragstad on 2021-03-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	Slawek Kaplonski	neutron wallaby-rc1

Bug Description

Neutron recently made a bunch of great progress evolving policy check strings to include default role support (admin, member, and reader) and system-scope [0]. Please reference keystone's default role and persona documentation for a primer on authorization patterns we're trying to apply to neutron [1]

Despite these improved policies, neutron needs some additional work to understand system scope.

I was able to use a system-reader persona (someone with the `reader` role assigned on the system) to list networks in neutron. But, the response didn't contain all networks. It only included public and shared networks.

╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud system-reader network list
+--------------------------------------+--------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+--------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
+--------------------------------------+--------+----------------------------------------------------------------------------+
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud devstack-system-admin network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
| 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
+--------------------------------------+---------+----------------------------------------------------------------------------+
╭─ubuntu@neutron-devstack ~
╰─➤ $ openstack --os-cloud devstack-admin network list
+--------------------------------------+---------+----------------------------------------------------------------------------+
| ID | Name | Subnets |
+--------------------------------------+---------+----------------------------------------------------------------------------+
| 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 |
| 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
| 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
+--------------------------------------+---------+----------------------------------------------------------------------------+

I have the following options set in my neutron.conf:

[oslo_policy]
enforce_new_defaults = True
enforce_scope = True
policy_file = /etc/neutron/policy.json

Which should configure neutron to enforce scopes and new default policies allowing things like:

- system-admins to view all resources
- system-admins to create system-specific resources (public networks)
- system-readers to view all resources across projects and system-specific resources
- project-admins to view only networks available to their project

I started tracing through the neutron code and noticed it's building database queries using the request context object [2], which might leading to why system-readers can't view all networks in a deployment.

This bug is likely something that affects more that just network resources, but I haven't done an exhaustive investigation, yet.

Hoping to get some feedback from folks more familiar with Neutron so that we can plan a path forward for properly consuming system-scope.

[0] https://review.opendev.org/q/project:openstack/neutron+status:merged+topic:secure-rbac
[1] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
[2] https://opendev.org/openstack/neutron-lib/src/commit/02e070fe099651ad5abea87819c7d3e729885130/neutron_lib/db/utils.py

See original description

Tags:

Lance Bragstad (lbragstad) on 2021-03-11

description:

updated

Slawek Kaplonski (slaweq) on 2021-03-11

tags:	added: api
Changed in neutron:
status:	New → Confirmed
importance:	Undecided → High
milestone:	none → wallaby-rc1

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2021-03-12:

Patch proposed https://review.opendev.org/c/openstack/neutron-lib/+/780204

Changed in neutron:
assignee:	nobody → Slawek Kaplonski (slaweq)
status:	Confirmed → In Progress

Revision history for this message

Slawek Kaplonski (slaweq) wrote on 2021-03-15:

Fixed with https://review.opendev.org/c/openstack/neutron-lib/+/780204 in the neutron-lib.

Changed in neutron:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-03-16: Fix included in openstack/neutron-lib 2.10.0

This issue was fixed in the openstack/neutron-lib 2.10.0 release.

Slawek Kaplonski (slaweq) on 2021-03-22

Changed in neutron:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.