neutron

[SRBAC] FIP Port Forwarding policies should be available for PARENT_OWNER with proper role

Bug #2018989 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Medium
Slawek Kaplonski

Bug Description

Currently new S-RBAC policies for FIP port forwardings are defined as

    policy_or(ADMIN_OR_PROJECT_MEMBER, RULE_PARENT_OWNER)

this isn't correct as FIP PF resource don't have project_id attribute and always belongs to the owner of the FIP. It's very similar issue to what we have with QoS rules and what was reported in https://bugs.launchpad.net/neutron/+bug/2018727

To fix that we need to use policies like ADMIN_OR_PARENT_OWNER_MEMBER to let e.g. creation of FIP PF to the owner of FIP with correct role assigned.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/882691

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/882691
Committed: https://opendev.org/openstack/neutron/commit/4edff4fe8dff102f13e3da0a000c03538755337d
Submitter: "Zuul (22348)"
Branch: master

commit 4edff4fe8dff102f13e3da0a000c03538755337d
Author: Slawek Kaplonski <email address hidden>
Date: Tue May 9 12:54:28 2023 +0200

    [S-RBAC] Fix new policies for FIP PFs APIs

    During transition to the new secure RBAC API policies, we made mistake
    with policies for FIP PFs by defining them to be available for
    ADMIN_OR_PROJECT_MEMBER/READER or FIP owner.
    First, rule PROJECT_MEMBER/READER is not appropriate in this case as FIP PFs
    don't have tenant_id attribute at all and belongs to the owner of FIP always.
    Second issue was that any FIP owner, even with just READER role could possibly
    e.g. create port forwarding.

    To fix that, this patch changes those API policies to new rules:
    ADMIN_OR_PARENT_OWNER_READER
    ADMIN_OR_PARENT_OWNER_MEMBER

    Closes-Bug: #2018989
    Change-Id: Ibff4c4f5b6d020fd598831a8a6e8ec0e2f559005

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron/+/882960

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron/+/882963

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/882963
Committed: https://opendev.org/openstack/neutron/commit/039caabfe352049f669323ffc00e74bb6ad5ca93
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 039caabfe352049f669323ffc00e74bb6ad5ca93
Author: Slawek Kaplonski <email address hidden>
Date: Tue May 9 12:54:28 2023 +0200

    [S-RBAC] Fix new policies for FIP PFs APIs

    During transition to the new secure RBAC API policies, we made mistake
    with policies for FIP PFs by defining them to be available for
    ADMIN_OR_PROJECT_MEMBER/READER or FIP owner.
    First, rule PROJECT_MEMBER/READER is not appropriate in this case as FIP PFs
    don't have tenant_id attribute at all and belongs to the owner of FIP always.
    Second issue was that any FIP owner, even with just READER role could possibly
    e.g. create port forwarding.

    To fix that, this patch changes those API policies to new rules:
    ADMIN_OR_PARENT_OWNER_READER
    ADMIN_OR_PARENT_OWNER_MEMBER

    Conflicts:
        neutron/conf/policies/floatingip_port_forwarding.py

    Closes-Bug: #2018989
    Change-Id: Ibff4c4f5b6d020fd598831a8a6e8ec0e2f559005
    (cherry picked from commit 4edff4fe8dff102f13e3da0a000c03538755337d)
    (cherry picked from commit 812526a2797770e4febe47d1547f1b383d772ffb)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/882960
Committed: https://opendev.org/openstack/neutron/commit/812526a2797770e4febe47d1547f1b383d772ffb
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 812526a2797770e4febe47d1547f1b383d772ffb
Author: Slawek Kaplonski <email address hidden>
Date: Tue May 9 12:54:28 2023 +0200

    [S-RBAC] Fix new policies for FIP PFs APIs

    During transition to the new secure RBAC API policies, we made mistake
    with policies for FIP PFs by defining them to be available for
    ADMIN_OR_PROJECT_MEMBER/READER or FIP owner.
    First, rule PROJECT_MEMBER/READER is not appropriate in this case as FIP PFs
    don't have tenant_id attribute at all and belongs to the owner of FIP always.
    Second issue was that any FIP owner, even with just READER role could possibly
    e.g. create port forwarding.

    To fix that, this patch changes those API policies to new rules:
    ADMIN_OR_PARENT_OWNER_READER
    ADMIN_OR_PARENT_OWNER_MEMBER

    Conflicts:
        neutron/conf/policies/floatingip_port_forwarding.py

    Closes-Bug: #2018989
    Change-Id: Ibff4c4f5b6d020fd598831a8a6e8ec0e2f559005
    (cherry picked from commit 4edff4fe8dff102f13e3da0a000c03538755337d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 22.0.1

This issue was fixed in the openstack/neutron 22.0.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 21.1.1

This issue was fixed in the openstack/neutron 21.1.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 23.0.0.0b3

This issue was fixed in the openstack/neutron 23.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.