neutron

Error 500 after request with Invalid Scope

Bug #1959333 reported by Slawek Kaplonski
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Slawek Kaplonski

Bug Description

After patch https://review.opendev.org/c/openstack/neutron/+/821208 was merged, when scope enforcement is enabled and API request with wrong scope is made, there is unhandled InvalidScope exception raised and error 500 returned to user. It should be properly handled and some better error returned.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/826872

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/835234

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/835234
Committed: https://opendev.org/openstack/neutron-lib/commit/da2baf389c85548b5c0b475a651aaf22bd7d9701
Submitter: "Zuul (22348)"
Branch: master

commit da2baf389c85548b5c0b475a651aaf22bd7d9701
Author: Slawek Kaplonski <email address hidden>
Date: Fri Mar 25 14:50:33 2022 +0100

    Add oslo_policy.InvalidScope exception to the api faults map

    With enforcing scopes enabled in Neutron, oslo_policy can raise
    InvalidScope exception while enforcing policy rules. So this exception
    type should be handled in the same way as it is with
    PolicyNotAuthorized. Otherwise neutron returns 500 if InvalidScope
    exception was raised by the policy enforce.

    Closes-Bug: #1959333
    Change-Id: Iad1e2c9f797091d728d419c6b9dc67d861d4214a

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/826872
Committed: https://opendev.org/openstack/neutron/commit/51d1899bacb1e5d625f201380035db634da2e27c
Submitter: "Zuul (22348)"
Branch: master

commit 51d1899bacb1e5d625f201380035db634da2e27c
Author: Slawek Kaplonski <email address hidden>
Date: Fri Jan 28 12:08:32 2022 +0100

    Handle properly InvalidScope exceptions to not return error 500

    When new default policy rules and scope enforcement are enabled, Neutron
    needs to handle properly not only PolicyNotAuthorized exception from
    oslo_policy module but also InvalidScope exception.
    This patch adds handling of that exception to the neutron policy
    modules.

    In the check() method from the neutron.policy module we are calling
    ENFORCER.enforce() method with do_raise=False which means that
    PolicyNotAuthorized isn't rasised. Unfortunately it seems that there is
    bug in oslo.policy module and InvalidScope is raised even with
    do_raise=False.
    For now, lets workaround it in Neutron by properly handling InvalidScope
    exception in the check() method.
    This workaround can be cleaned when bug [1] will be fixed in
    oslo.policy.

    [1] https://bugs.launchpad.net/oslo.policy/+bug/1965315

    Partial-Bug: #1959333
    Change-Id: I973f8896248c8222031c53343bb53ce48254da74

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron/+/838697

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/838698

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/838699

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/xena)

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/838698
Reason: not needed in that branch

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on neutron (stable/wallaby)

Change abandoned by "Slawek Kaplonski <email address hidden>" on branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/838699
Reason: not needed in that branch

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/838697
Committed: https://opendev.org/openstack/neutron/commit/dcb35466484d9c66c6ea912c6c68802b89847404
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit dcb35466484d9c66c6ea912c6c68802b89847404
Author: Slawek Kaplonski <email address hidden>
Date: Fri Jan 28 12:08:32 2022 +0100

    Handle properly InvalidScope exceptions to not return error 500

    When new default policy rules and scope enforcement are enabled, Neutron
    needs to handle properly not only PolicyNotAuthorized exception from
    oslo_policy module but also InvalidScope exception.
    This patch adds handling of that exception to the neutron policy
    modules.

    In the check() method from the neutron.policy module we are calling
    ENFORCER.enforce() method with do_raise=False which means that
    PolicyNotAuthorized isn't rasised. Unfortunately it seems that there is
    bug in oslo.policy module and InvalidScope is raised even with
    do_raise=False.
    For now, lets workaround it in Neutron by properly handling InvalidScope
    exception in the check() method.
    This workaround can be cleaned when bug [1] will be fixed in
    oslo.policy.

    [1] https://bugs.launchpad.net/oslo.policy/+bug/1965315

    Partial-Bug: #1959333
    Change-Id: I973f8896248c8222031c53343bb53ce48254da74
    (cherry picked from commit 51d1899bacb1e5d625f201380035db634da2e27c)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/840171

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/840171
Committed: https://opendev.org/openstack/neutron/commit/3939ec35af1769b9f04e19b8b499ad4d37d51f1d
Submitter: "Zuul (22348)"
Branch: master

commit 3939ec35af1769b9f04e19b8b499ad4d37d51f1d
Author: Slawek Kaplonski <email address hidden>
Date: Mon May 2 12:47:16 2022 +0200

    Bump oslo.policy to 3.12.0

    It allows us to revert temporary fix part from [1] as now InvalidScope
    exception is properly handled by oslo.policy.

    [1] https://review.opendev.org/c/openstack/neutron/+/826872

    Related-bug: #1959333
    Change-Id: I6b42306479c134ad8b07b8bf87d5c650fef9faae

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib 2.21.0

This issue was fixed in the openstack/neutron-lib 2.21.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.