[S-RBAC] context.elevated() method from neutron-lib should ensure all required roles are set in context object
Bug #2019946 reported by
Slawek Kaplonski
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Critical
|
Slawek Kaplonski |
Bug Description
Currently context.elevated() method just ensures that "admin" role is set in context.roles. But e.g. in case when noauth method pipeline is used in Neutron, context from environ will not have any role set and it may fail if e.g. some API policy is allowed for "role:reader" (see qos get_rule_types API policy).
We should make sure in the context.elevated() method that all roles which "admin" role implies are there.
Changed in neutron: | |
importance: | High → Critical |
no longer affects: | nova |
tags: | added: access-control |
To post a comment you must log in.
Fix proposed to branch: master /review. opendev. org/c/openstack /neutron- lib/+/883345
Review: https:/