Policy enforcement variance between openstackcli and Horizon
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
New
|
Undecided
|
Unassigned |
Bug Description
Summary
Neutron enforces Policy different between Horizon and the openstackcli
High Level Description
If a user without admin permission tried to modify security groups on a port via Horizon, they are denied via policy enforcement in line with the defaults from oslopolicy. But the same user is able to modify the port security groups via the CLI.
Reproduce:
1. Create a new non-admin user:
❯ openstack user create --project bne-home --password-prompt test
❯ openstack role add --project bne-home --user test member
2. Add user to clouds.yaml
bne-home-test:
auth:
auth_url: https:/
password: "test"
project_
project_name: bne-home
user_
username: test
cacert: ~/.certs/
identity_
region_name: regionOne
volume_
3. Try to add/remove security group from port using the openstackcli:
❯ openstack server show test-lb-net -c security_groups -c addresses -f yaml
addresses:
lb-mgmt-net:
- 172.24.0.90
vlan4-infra:
- 172.20.13.175
security_groups:
- name: management-bne
❯ openstack port show 4df563ce-
fixed_ips:
- ip_address: 172.20.13.175
subnet_id: 71aad09a-
port_security_
security_group_ids:
- a3ae6e20-
❯ openstack port unset --security-group a3ae6e20-
❯ openstack port show 4df563ce-
fixed_ips:
- ip_address: 172.20.13.175
subnet_id: 71aad09a-
port_security_
security_group_ids: []
Verify that I’m definitely not a admin user:
❯ openstack server list --all
Policy doesn't allow os_compute_
We can see this works. Let's try the same from Horizon. We need to login, select Instances > Interfaces > "Edit Security Groups"
This will deny the request. The error from Horizon is:
2022-09-14 22:23:13,612 65 INFO openstack_
Which seems consistent with:
[root@overcloud
"update_
From the Neutron logs for both requests we can see:
https:/
Environment:
TripleO (current-tripleo)
Version:
# podman exec -it neutron_api rpm -q openstack-neutron
openstack-
[root@overcloud
"image=
Note that this is also an issue for RHOSP16.x:
https:/
Seems Horizon is still using python- neutronclient rather than the openstacksdk. So there may be a difference in behaviour there:
But I have enabled debug in Horizon as well and captured the error. Logs attached from Neutron and Horizon both with debug enabled.