neutron

With new RBAC enabled (enforce_scope and enforce_new_defaults): some security groups aren't visible for admin user

Bug #1997089 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Slawek Kaplonski

Bug Description

See failed test tempest.api.compute.admin.test_security_groups.SecurityGroupsTestAdminJSON.test_list_security_groups_list_all_tenants_filter in https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_63d/614484/10/check/tempest-full-enforce-scope-new-defaults/63d64d6/testr_results.html

Failure:

Traceback (most recent call last):
  File "/opt/stack/tempest/tempest/common/utils/__init__.py", line 70, in wrapper
    return f(*func_args, **func_kwargs)
  File "/opt/stack/tempest/tempest/api/compute/admin/test_security_groups.py", line 86, in test_list_security_groups_list_all_tenants_filter
    self.assertIn(sec_group['id'], sec_group_id_list)
  File "/opt/stack/tempest/.tox/tempest/lib/python3.8/site-packages/testtools/testcase.py", line 399, in assertIn
    self.assertThat(haystack, Contains(needle), message)
  File "/opt/stack/tempest/.tox/tempest/lib/python3.8/site-packages/testtools/testcase.py", line 480, in assertThat
    raise mismatch_error
testtools.matchers._impl.MismatchError: '0596ea46-0609-4d40-b42a-e24d4882709b' not in ['5bb547c6-e27c-4be9-8599-dcb47b253e3e', '21c2add9-c4ee-40bb-8888-42c408f677a9', '0acc8817-d8ed-44cf-8728-c43cae604c7e']

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/865040

Changed in neutron:
status: Confirmed → In Progress
Bernard Cafarelli (bcafarel)
tags: added: access-control
Changed in neutron:
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/865040
Committed: https://opendev.org/openstack/neutron/commit/6d8ada0ac93beed05b45adb9582c3ef23bef49d2
Submitter: "Zuul (22348)"
Branch: master

commit 6d8ada0ac93beed05b45adb9582c3ef23bef49d2
Author: Slawek Kaplonski <email address hidden>
Date: Mon Nov 21 15:32:21 2022 +0100

    [S-RBAC] Allow admin user to do all API requests by default

    By default ADMIN user in the new Secure RBAC policies should behave in
    the same way as in the legacy rules so basically every API operation for
    any project should be allowed for ADMIN user.
    In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER
    and those personas don't inherits directly from ADMIN which means that
    if something is possible to e.g. PROJECT_MEMBER it isn't automatically
    also allowed to ADMIN and we need to explicitly allow ADMIN user to do
    such requests. It was done like that for many of API calls already but
    not for all of them (probably by mistake).

    This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and
    uses it in the check strings where ADMIN or PROJECT_MEMBER user is
    allowed to use the API.
    It also changes some of the check strings which used "policy_or" to
    combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those
    composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are
    used everywhere.

    Closes-Bug: #1997089

    Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron/+/874399

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/874399
Committed: https://opendev.org/openstack/neutron/commit/924339ab111f824af5c13c185611b7368c2a6c65
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 924339ab111f824af5c13c185611b7368c2a6c65
Author: Slawek Kaplonski <email address hidden>
Date: Mon Nov 21 15:32:21 2022 +0100

    [S-RBAC] Allow admin user to do all API requests by default

    By default ADMIN user in the new Secure RBAC policies should behave in
    the same way as in the legacy rules so basically every API operation for
    any project should be allowed for ADMIN user.
    In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER
    and those personas don't inherits directly from ADMIN which means that
    if something is possible to e.g. PROJECT_MEMBER it isn't automatically
    also allowed to ADMIN and we need to explicitly allow ADMIN user to do
    such requests. It was done like that for many of API calls already but
    not for all of them (probably by mistake).

    This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and
    uses it in the check strings where ADMIN or PROJECT_MEMBER user is
    allowed to use the API.
    It also changes some of the check strings which used "policy_or" to
    combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those
    composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are
    used everywhere.

    Closes-Bug: #1997089

    Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7
    (cherry picked from commit 6d8ada0ac93beed05b45adb9582c3ef23bef49d2)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.0.0.0rc1

This issue was fixed in the openstack/neutron 22.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.1.0

This issue was fixed in the openstack/neutron 21.1.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.