neutron

[Secure RBAC] Create network error due to role without permissions isn't clear

Bug #1965294 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Slawek Kaplonski

Bug Description

Bug originally reported by Candido Campos in https://bugzilla.redhat.com/show_bug.cgi?id=2063867

Description of problem:

Captured traceback:
~~~~~~~~~~~~~~~~~~~
    Traceback (most recent call last):
      File "/usr/lib/python3.6/site-packages/tempest/common/utils/__init__.py", line 89, in wrapper
        return func(*func_args, **func_kwargs)
      File "/usr/lib/python3.6/site-packages/neutron_tempest_plugin/scenario/test_internal_dns.py", line 38, in test_dns_domain_and_name
        network = self.create_network(dns_domain='starwars.')
      File "/usr/lib/python3.6/site-packages/neutron_tempest_plugin/api/base.py", line 379, in create_network
        network = client.create_network(name=name, **kwargs)['network']
      File "/usr/lib/python3.6/site-packages/neutron_tempest_plugin/services/network/json/network_client.py", line 146, in _create
        resp, body = self.post(uri, post_data)
      File "/usr/lib/python3.6/site-packages/tempest/lib/common/rest_client.py", line 299, in post
        return self.request('POST', url, extra_headers, headers, body, chunked)
      File "/usr/lib/python3.6/site-packages/tempest/lib/common/rest_client.py", line 703, in request
        self._error_checker(resp, resp_body)
      File "/usr/lib/python3.6/site-packages/tempest/lib/common/rest_client.py", line 809, in _error_checker
        raise exceptions.NotFound(resp_body, resp=resp)
    tempest.lib.exceptions.NotFound: Object not found
    Details: {'type': 'HTTPNotFound', 'message': 'The resource could not be found.', 'detail': ''}

Version-Release number of selected component (if applicable):

How reproducible:

   90 openstack project create --domain default --description "Demo Project" myproject
   91 openstack user create --domain default --password-prompt myuser
   92 openstack role create myrole
   93 openstack role add --project myproject --user myuser myrole

        openstack network create test

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/834171

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/834171
Committed: https://opendev.org/openstack/neutron/commit/60bc6c7a992383cecaf7dcf425668a6ea92b151b
Submitter: "Zuul (22348)"
Branch: master

commit 60bc6c7a992383cecaf7dcf425668a6ea92b151b
Author: Slawek Kaplonski <email address hidden>
Date: Thu Mar 17 14:33:41 2022 +0100

    [API] Return 403 for POST requests when user is not authorized

    In the policy_enforcement module if policy.enforce() will raise
    PolicyNotAuthorized exception, there is additional check if user is
    trying to modify own or someone else resource. In case when user is not
    allowed to show resource even, error 404 is raised to "hide" any
    information about requested resource.
    But that was also the case for POST (create resource) requests and 404
    error when user is trying e.g. create network is confusing.
    So this patch modifies that logic and in case of "create_" actions it
    will return 403 if user was not authorized to do such operation.

    Closes-Bug: #1965294
    Change-Id: I80b0616c335134a564361137b2a00ff86dcbdf1c

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/neutron/+/837487

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/neutron/+/837488

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/neutron/+/837489

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/837488
Committed: https://opendev.org/openstack/neutron/commit/909f3bd3c5585e68da62b511af24f862c7863d6b
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 909f3bd3c5585e68da62b511af24f862c7863d6b
Author: Slawek Kaplonski <email address hidden>
Date: Thu Mar 17 14:33:41 2022 +0100

    [API] Return 403 for POST requests when user is not authorized

    In the policy_enforcement module if policy.enforce() will raise
    PolicyNotAuthorized exception, there is additional check if user is
    trying to modify own or someone else resource. In case when user is not
    allowed to show resource even, error 404 is raised to "hide" any
    information about requested resource.
    But that was also the case for POST (create resource) requests and 404
    error when user is trying e.g. create network is confusing.
    So this patch modifies that logic and in case of "create_" actions it
    will return 403 if user was not authorized to do such operation.

    Closes-Bug: #1965294
    Change-Id: I80b0616c335134a564361137b2a00ff86dcbdf1c
    (cherry picked from commit 60bc6c7a992383cecaf7dcf425668a6ea92b151b)

tags: added: in-stable-xena
tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/837489
Committed: https://opendev.org/openstack/neutron/commit/1b82d4aa20a01426fc9e543a64b343c81a486584
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 1b82d4aa20a01426fc9e543a64b343c81a486584
Author: Slawek Kaplonski <email address hidden>
Date: Thu Mar 17 14:33:41 2022 +0100

    [API] Return 403 for POST requests when user is not authorized

    In the policy_enforcement module if policy.enforce() will raise
    PolicyNotAuthorized exception, there is additional check if user is
    trying to modify own or someone else resource. In case when user is not
    allowed to show resource even, error 404 is raised to "hide" any
    information about requested resource.
    But that was also the case for POST (create resource) requests and 404
    error when user is trying e.g. create network is confusing.
    So this patch modifies that logic and in case of "create_" actions it
    will return 403 if user was not authorized to do such operation.

    Closes-Bug: #1965294
    Change-Id: I80b0616c335134a564361137b2a00ff86dcbdf1c
    (cherry picked from commit 60bc6c7a992383cecaf7dcf425668a6ea92b151b)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 18.3.0

This issue was fixed in the openstack/neutron 18.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 19.2.0

This issue was fixed in the openstack/neutron 19.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/837487
Committed: https://opendev.org/openstack/neutron/commit/a36300a68b0af208bc5feb88613aa3fba4d76254
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit a36300a68b0af208bc5feb88613aa3fba4d76254
Author: Slawek Kaplonski <email address hidden>
Date: Thu Mar 17 14:33:41 2022 +0100

    [API] Return 403 for POST requests when user is not authorized

    In the policy_enforcement module if policy.enforce() will raise
    PolicyNotAuthorized exception, there is additional check if user is
    trying to modify own or someone else resource. In case when user is not
    allowed to show resource even, error 404 is raised to "hide" any
    information about requested resource.
    But that was also the case for POST (create resource) requests and 404
    error when user is trying e.g. create network is confusing.
    So this patch modifies that logic and in case of "create_" actions it
    will return 403 if user was not authorized to do such operation.

    Closes-Bug: #1965294
    Change-Id: I80b0616c335134a564361137b2a00ff86dcbdf1c
    (cherry picked from commit 60bc6c7a992383cecaf7dcf425668a6ea92b151b)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 20.1.0

This issue was fixed in the openstack/neutron 20.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.0.0.0rc1

This issue was fixed in the openstack/neutron 21.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.