neutron

  1. Bug #2018989
  2. Comment #6

Comment 6 for bug 2018989

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/882960
Committed: https://opendev.org/openstack/neutron/commit/812526a2797770e4febe47d1547f1b383d772ffb
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 812526a2797770e4febe47d1547f1b383d772ffb
Author: Slawek Kaplonski <email address hidden>
Date: Tue May 9 12:54:28 2023 +0200

    [S-RBAC] Fix new policies for FIP PFs APIs

    During transition to the new secure RBAC API policies, we made mistake
    with policies for FIP PFs by defining them to be available for
    ADMIN_OR_PROJECT_MEMBER/READER or FIP owner.
    First, rule PROJECT_MEMBER/READER is not appropriate in this case as FIP PFs
    don't have tenant_id attribute at all and belongs to the owner of FIP always.
    Second issue was that any FIP owner, even with just READER role could possibly
    e.g. create port forwarding.

    To fix that, this patch changes those API policies to new rules:
    ADMIN_OR_PARENT_OWNER_READER
    ADMIN_OR_PARENT_OWNER_MEMBER

    Conflicts:
        neutron/conf/policies/floatingip_port_forwarding.py

    Closes-Bug: #2018989
    Change-Id: Ibff4c4f5b6d020fd598831a8a6e8ec0e2f559005
    (cherry picked from commit 4edff4fe8dff102f13e3da0a000c03538755337d)