Unable to show security groups for non-admin users if custom policies using.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
High
|
Akihiro Motoki |
Bug Description
Neutron's RBAC system supports security group sharing but it's impossible to use with changed policies. When RBAC for security groups was added [1] field "shared" was not added to the database. As result, we cannot use this flag for policy checks and SG sharing will work only with default [2] policy, and it is impossible to configure the policies like:
"shared_
"get_security_
How to reproduce:
1. change policies and add check for 'shared' field as mentioned above;
2. create new SG with admin permissions;
3. share the SG to another project;
4. try to get this SG by ID with project owner permissions;
Such policies work perfectly for other RBAC objects like networks, subnet pools etc.
[1] https:/
[2] https:/
tags: | added: access-control |
tags: | added: api |
Hello:
I think that was replied in IRC by Slawek. The field "shared" can be used with your custom policies, but SGs objects do not have this field.
For security groups you need to use RBAC. In any case, the "shared" field has been dropped from some DB objects and is still waiting to be removed from others [1][2], in favor of RBACs.
Regards.
[1]https:/ /review. opendev. org/c/openstack /neutron/ +/709122/ 13/neutron/ db/models/ address_ scope.py /review. opendev. org/c/openstack /neutron/ +/710755/ 11/neutron/ db/models_ v2.py
[2]https:/