During transition to the new secure RBAC API policies, we made mistake
with policies for FIP PFs by defining them to be available for
ADMIN_OR_PROJECT_MEMBER/READER or FIP owner.
First, rule PROJECT_MEMBER/READER is not appropriate in this case as FIP PFs
don't have tenant_id attribute at all and belongs to the owner of FIP always.
Second issue was that any FIP owner, even with just READER role could possibly
e.g. create port forwarding.
To fix that, this patch changes those API policies to new rules:
ADMIN_OR_PARENT_OWNER_READER
ADMIN_OR_PARENT_OWNER_MEMBER
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/882963 /opendev. org/openstack/ neutron/ commit/ 039caabfe352049 f669323ffc00e74 bb6ad5ca93
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/zed
commit 039caabfe352049 f669323ffc00e74 bb6ad5ca93
Author: Slawek Kaplonski <email address hidden>
Date: Tue May 9 12:54:28 2023 +0200
[S-RBAC] Fix new policies for FIP PFs APIs
During transition to the new secure RBAC API policies, we made mistake OR_PROJECT_ MEMBER/ READER or FIP owner. MEMBER/ READER is not appropriate in this case as FIP PFs
with policies for FIP PFs by defining them to be available for
ADMIN_
First, rule PROJECT_
don't have tenant_id attribute at all and belongs to the owner of FIP always.
Second issue was that any FIP owner, even with just READER role could possibly
e.g. create port forwarding.
To fix that, this patch changes those API policies to new rules: OR_PARENT_ OWNER_READER OR_PARENT_ OWNER_MEMBER
ADMIN_
ADMIN_
Conflicts:
neutron/ conf/policies/ floatingip_ port_forwarding .py
Closes-Bug: #2018989 fd598831a8a6e8e c0e2f559005 f13e3da0a000c03 538755337d) 4febe47d1547f1b 383d772ffb)
Change-Id: Ibff4c4f5b6d020
(cherry picked from commit 4edff4fe8dff102
(cherry picked from commit 812526a2797770e