Regular user can remove qos from a port despite the policy

Bug #1957175 reported by Alexander Shishebarov
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
yatin

Bug Description

We use neutron stable/stein release with ml2/ovs plugin.

From the admin role, we assign qos policy with bandwidth limit to the ports of virtual machines.
In oslo policies, we forbid users to change this qos.
"update_port:qos_policy_id": "rule:admin_only"

But users, despite the policy can remove the qos from the ports by entering the command
openstack port unset <port_id> --qos-policy

This happens because in qos api definition (neutron_lib) for port does not set "enforce_policy" flag.
https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/definitions/qos.py#L91

Is this done on purpose by neutron api design or is it a bug?

description: updated
description: updated
description: updated
Revision history for this message
yatin (yatinkarel) wrote :

Assigning myself and will check if it's a bug or behavior, if bug will propose patch to get it fixed.

Changed in neutron:
status: New → Confirmed
assignee: nobody → yatin (yatinkarel)
Changed in neutron:
importance: Undecided → High
tags: added: qos
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)
Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/825088
Committed: https://opendev.org/openstack/neutron-lib/commit/cf54989be21e1229eae6a34af5b84c2bfc5aface
Submitter: "Zuul (22348)"
Branch: master

commit cf54989be21e1229eae6a34af5b84c2bfc5aface
Author: yatinkarel <email address hidden>
Date: Tue Jan 18 10:45:17 2022 +0000

    Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute.

    Closes-Bug: #1957175
    Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron-lib/+/826039

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/826039
Committed: https://opendev.org/openstack/neutron-lib/commit/f7c009ba2485f68d172924d9342d81e55a62044d
Submitter: "Zuul (22348)"
Branch: stable/xena

commit f7c009ba2485f68d172924d9342d81e55a62044d
Author: yatinkarel <email address hidden>
Date: Tue Jan 18 10:45:17 2022 +0000

    Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute.

    Closes-Bug: #1957175
    Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657
    (cherry picked from commit cf54989be21e1229eae6a34af5b84c2bfc5aface)
    Conflicts: neutron_lib/api/definitions/qos_fip.py

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron-lib/+/826212

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron-lib/+/826213

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/neutron-lib/+/826214

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/neutron-lib/+/826225

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/826595

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/826212
Committed: https://opendev.org/openstack/neutron-lib/commit/6bbae46890f458cbb0d7cb5dd87e80f07a305b53
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 6bbae46890f458cbb0d7cb5dd87e80f07a305b53
Author: yatinkarel <email address hidden>
Date: Tue Jan 18 10:45:17 2022 +0000

    Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute.

    Closes-Bug: #1957175
    Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657
    (cherry picked from commit cf54989be21e1229eae6a34af5b84c2bfc5aface)
    Conflicts: neutron_lib/api/definitions/qos_fip.py
    (cherry picked from commit f7c009ba2485f68d172924d9342d81e55a62044d)

tags: added: in-stable-wallaby
Revision history for this message
Alexander Shishebarov (ashishebarov) wrote :

Will Cherry picks be made to stable/stein, stable/train releases?
We use them, we would like to get this fix.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (stable/stein)

Fix proposed to branch: stable/stein
Review: https://review.opendev.org/c/openstack/neutron-lib/+/826615

Revision history for this message
yatin (yatinkarel) wrote :

@ashishebarov yes proposed cherry-picks till stein https://review.opendev.org/q/Ieee1ca092e572ad4696105962fbc6de675454657.

Also since stein/train/ussuri are in extended maintenance phase there will be no tag release for neutron-lib. For other releases will put tag request.

Also for qos_fip will propose once it's merged in xena https://review.opendev.org/c/openstack/neutron/+/826595

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/826214
Committed: https://opendev.org/openstack/neutron-lib/commit/75ee705ed5f4144483686d7e237ba78afe6d1dff
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 75ee705ed5f4144483686d7e237ba78afe6d1dff
Author: yatinkarel <email address hidden>
Date: Tue Jan 18 10:45:17 2022 +0000

    Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute.

    Closes-Bug: #1957175
    Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657
    (cherry picked from commit cf54989be21e1229eae6a34af5b84c2bfc5aface)
    Conflicts: neutron_lib/api/definitions/qos_fip.py
    (cherry picked from commit f7c009ba2485f68d172924d9342d81e55a62044d)

tags: added: in-stable-ussuri
tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/826213
Committed: https://opendev.org/openstack/neutron-lib/commit/0b9d8e399f845999668a9d7ceaa3a638fd1c399f
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 0b9d8e399f845999668a9d7ceaa3a638fd1c399f
Author: yatinkarel <email address hidden>
Date: Tue Jan 18 10:45:17 2022 +0000

    Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute.

    Closes-Bug: #1957175
    Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657
    (cherry picked from commit cf54989be21e1229eae6a34af5b84c2bfc5aface)
    Conflicts: neutron_lib/api/definitions/qos_fip.py
    (cherry picked from commit f7c009ba2485f68d172924d9342d81e55a62044d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (stable/train)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/826225
Committed: https://opendev.org/openstack/neutron-lib/commit/dcb866032452b90270d620951a17d3a8de9433d6
Submitter: "Zuul (22348)"
Branch: stable/train

commit dcb866032452b90270d620951a17d3a8de9433d6
Author: yatinkarel <email address hidden>
Date: Tue Jan 18 10:45:17 2022 +0000

    Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute.

    Closes-Bug: #1957175
    Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657
    (cherry picked from commit cf54989be21e1229eae6a34af5b84c2bfc5aface)
    Conflicts: neutron_lib/api/definitions/qos_fip.py
    (cherry picked from commit f7c009ba2485f68d172924d9342d81e55a62044d)

tags: added: in-stable-train
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (stable/stein)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/826615
Committed: https://opendev.org/openstack/neutron-lib/commit/6c67800bcf9e40fce57765ae1ec0a5e06b5dec97
Submitter: "Zuul (22348)"
Branch: stable/stein

commit 6c67800bcf9e40fce57765ae1ec0a5e06b5dec97
Author: yatinkarel <email address hidden>
Date: Tue Jan 18 10:45:17 2022 +0000

    Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute.

    Closes-Bug: #1957175
    Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657
    (cherry picked from commit cf54989be21e1229eae6a34af5b84c2bfc5aface)
    Conflicts: neutron_lib/api/definitions/qos_fip.py
    (cherry picked from commit f7c009ba2485f68d172924d9342d81e55a62044d)

tags: added: in-stable-stein
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/826595
Committed: https://opendev.org/openstack/neutron/commit/0c2af0f6e7d99d60aed20e731d5b178f1e152678
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 0c2af0f6e7d99d60aed20e731d5b178f1e152678
Author: yatinkarel <email address hidden>
Date: Thu Jan 27 13:20:07 2022 +0530

    [Stable Only] Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute for Floating IP, for port and network
    it's fixed in neutron-lib[1].

    This patch is only for stable releases as for releases since
    Yoga this is fixed in neutron-lib[2] itself.

    [1] https://review.opendev.org/q/Ieee1ca092e572ad4696105962fbc6de675454657
    [2] https://review.opendev.org/c/openstack/neutron-lib/+/825088

    Closes-Bug: #1957175
    Change-Id: Ie0660e5e89e45c00b79464368ba337d27a824714

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/827015

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/neutron/+/827016

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/neutron/+/827017

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib 2.6.2

This issue was fixed in the openstack/neutron-lib 2.6.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib 2.10.2

This issue was fixed in the openstack/neutron-lib 2.10.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib 2.15.2

This issue was fixed in the openstack/neutron-lib 2.15.2 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/827016
Committed: https://opendev.org/openstack/neutron/commit/ae55ae36738e65cc86e48869b99984b80043f559
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit ae55ae36738e65cc86e48869b99984b80043f559
Author: yatinkarel <email address hidden>
Date: Thu Jan 27 13:20:07 2022 +0530

    [Stable Only] Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute for Floating IP, for port and network
    it's fixed in neutron-lib[1].

    This patch is only for stable releases as for releases since
    Yoga this is fixed in neutron-lib[2] itself.

    [1] https://review.opendev.org/q/Ieee1ca092e572ad4696105962fbc6de675454657
    [2] https://review.opendev.org/c/openstack/neutron-lib/+/825088

    Depends-On: https://review.opendev.org/c/openstack/tempest/+/828245
    Closes-Bug: #1957175
    Change-Id: Ie0660e5e89e45c00b79464368ba337d27a824714
    (cherry picked from commit 0c2af0f6e7d99d60aed20e731d5b178f1e152678)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/827017
Committed: https://opendev.org/openstack/neutron/commit/b738de94182b90a72b28e92f5b2218b5198e01f6
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit b738de94182b90a72b28e92f5b2218b5198e01f6
Author: yatinkarel <email address hidden>
Date: Thu Jan 27 13:20:07 2022 +0530

    [Stable Only] Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute for Floating IP, for port and network
    it's fixed in neutron-lib[1].

    This patch is only for stable releases as for releases since
    Yoga this is fixed in neutron-lib[2] itself.

    [1] https://review.opendev.org/q/Ieee1ca092e572ad4696105962fbc6de675454657
    [2] https://review.opendev.org/c/openstack/neutron-lib/+/825088

    Depends-On: https://review.opendev.org/c/openstack/tempest/+/828245
    Closes-Bug: #1957175
    Change-Id: Ie0660e5e89e45c00b79464368ba337d27a824714
    (cherry picked from commit 0c2af0f6e7d99d60aed20e731d5b178f1e152678)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/827015
Committed: https://opendev.org/openstack/neutron/commit/c5765cdd75731eac10c93d2eb01bc4846e3a8d04
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit c5765cdd75731eac10c93d2eb01bc4846e3a8d04
Author: yatinkarel <email address hidden>
Date: Thu Jan 27 13:20:07 2022 +0530

    [Stable Only] Enforce policy for qos_policy_id attribute

    Currently while updating 'qos_policy_id', authorization policies
    are not enforced and as a result it can be set or unset over
    port/network/fip by an unauthorized user.

    This patch fixes it by setting 'enforce_policy' to True
    for this attribute for Floating IP, for port and network
    it's fixed in neutron-lib[1].

    This patch is only for stable releases as for releases since
    Yoga this is fixed in neutron-lib[2] itself.

    [1] https://review.opendev.org/q/Ieee1ca092e572ad4696105962fbc6de675454657
    [2] https://review.opendev.org/c/openstack/neutron-lib/+/825088

    Closes-Bug: #1957175
    Change-Id: Ie0660e5e89e45c00b79464368ba337d27a824714
    (cherry picked from commit 0c2af0f6e7d99d60aed20e731d5b178f1e152678)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib 2.20.0

This issue was fixed in the openstack/neutron-lib 2.20.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 17.4.0

This issue was fixed in the openstack/neutron 17.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 18.3.0

This issue was fixed in the openstack/neutron 18.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 19.2.0

This issue was fixed in the openstack/neutron 19.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib stein-eol

This issue was fixed in the openstack/neutron-lib stein-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib train-eol

This issue was fixed in the openstack/neutron-lib train-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib ussuri-eol

This issue was fixed in the openstack/neutron-lib ussuri-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron ussuri-eol

This issue was fixed in the openstack/neutron ussuri-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.