neutron

[S-RBAC] context.elevated() method from neutron-lib should ensure all required roles are set in context object

Bug #2019946 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
Critical
Slawek Kaplonski

Bug Description

Currently context.elevated() method just ensures that "admin" role is set in context.roles. But e.g. in case when noauth method pipeline is used in Neutron, context from environ will not have any role set and it may fail if e.g. some API policy is allowed for "role:reader" (see qos get_rule_types API policy).
We should make sure in the context.elevated() method that all roles which "admin" role implies are there.

Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
importance: High → Critical
Rodolfo Alonso (rodolfo-alonso-hernandez)
no longer affects: nova
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-lib/+/883345

Changed in neutron:
status: Confirmed → In Progress
Elvira García Ruiz (elviragr)
tags: added: access-control
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/883345
Committed: https://opendev.org/openstack/neutron-lib/commit/c5ca1ddf420b827e4684dee6a6495475014a91e3
Submitter: "Zuul (22348)"
Branch: master

commit c5ca1ddf420b827e4684dee6a6495475014a91e3
Author: Slawek Kaplonski <email address hidden>
Date: Wed May 17 12:17:17 2023 +0200

    Context.elevated() method sets all required roles for context object

    If context should be elevated, it should always have "admin", "member"
    and "reader" roles set as admin user always have "member" and "reader"
    role as well.
    Usually, when context is created by keystone it is like that but in some
    cases, e.g. when noauth middleware is used instead of keystone it's not
    like that and then context from the environment don't have any role set
    so we should make sure that elevated context have all required roles set
    correctly.

    Closes-Bug: #2019946
    Change-Id: Ic70202d1b41ea64ffd63dc910b7852fe75421fa9

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron-lib/+/883398

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron-lib (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/neutron-lib/+/883399

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib 3.6.1

This issue was fixed in the openstack/neutron-lib 3.6.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/883398
Committed: https://opendev.org/openstack/neutron-lib/commit/a13064946342f1c0cb24f32ebdb1b343568e600c
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit a13064946342f1c0cb24f32ebdb1b343568e600c
Author: Slawek Kaplonski <email address hidden>
Date: Wed May 17 12:17:17 2023 +0200

    Context.elevated() method sets all required roles for context object

    If context should be elevated, it should always have "admin", "member"
    and "reader" roles set as admin user always have "member" and "reader"
    role as well.
    Usually, when context is created by keystone it is like that but in some
    cases, e.g. when noauth middleware is used instead of keystone it's not
    like that and then context from the environment don't have any role set
    so we should make sure that elevated context have all required roles set
    correctly.

    Closes-Bug: #2019946
    Change-Id: Ic70202d1b41ea64ffd63dc910b7852fe75421fa9
    (cherry picked from commit c5ca1ddf420b827e4684dee6a6495475014a91e3)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron-lib (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/883399
Committed: https://opendev.org/openstack/neutron-lib/commit/00d4c31942d393942050f912ced14e3c85e4b7d2
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 00d4c31942d393942050f912ced14e3c85e4b7d2
Author: Slawek Kaplonski <email address hidden>
Date: Wed May 17 12:17:17 2023 +0200

    Context.elevated() method sets all required roles for context object

    If context should be elevated, it should always have "admin", "member"
    and "reader" roles set as admin user always have "member" and "reader"
    role as well.
    Usually, when context is created by keystone it is like that but in some
    cases, e.g. when noauth middleware is used instead of keystone it's not
    like that and then context from the environment don't have any role set
    so we should make sure that elevated context have all required roles set
    correctly.

    Closes-Bug: #2019946
    Change-Id: Ic70202d1b41ea64ffd63dc910b7852fe75421fa9
    (cherry picked from commit c5ca1ddf420b827e4684dee6a6495475014a91e3)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib 3.4.1

This issue was fixed in the openstack/neutron-lib 3.4.1 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron-lib 3.1.2

This issue was fixed in the openstack/neutron-lib 3.1.2 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.