Add support for the service role in neutron API policies
Bug #2026182 reported by
Slawek Kaplonski
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Fix Released
|
Medium
|
Slawek Kaplonski |
Bug Description
As part of the second phase of the community goal "Consistent and Secure Default RBAC" [1] we should implement in Neutron support for the "service" role which will be used for the APIs developed for the machines to communicate, like e.g. port binding APIs which are used by nova-compute service.
Second step of this phase 2 implementation should be usage of that new service role in the APIs which are designed for such service to service communication.
[1] https:/
Changed in neutron: | |
importance: | Undecided → Medium |
To post a comment you must log in.
Reviewed: https:/ /review. opendev. org/c/openstack /neutron/ +/886724 /opendev. org/openstack/ neutron/ commit/ 428f7a8418447e7 5d6a9245dbaf7cc c165579ec4
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 428f7a8418447e7 5d6a9245dbaf7cc c165579ec4
Author: Slawek Kaplonski <email address hidden>
Date: Thu Jun 22 09:34:26 2023 +0200
[S-RBAC] Add service role in neutron policy
RBAC community wide goal phase-2[1] is to add service is_advsvc" as this had basically same goal but for consistency
role for the service APIs policy rule.
This patch adds new "service_api" role in policies, deprecates old rule
"context_
reasons we want now to have it named "service_api" as in other policies
for other projects.
This patch also adds unit tests to ensure what is allowed and what is
forbidden for the service role user.
[1] https:/ /governance. openstack. org/tc/ goals/selected/ consistent- and-secure- rbac.html# phase-2
Closes-Bug: #2026182
Change-Id: Iaa1a3a491d310c 2304f6500c6e5d2 b9c31a72fa8