neutron

Reader can update object tag

Bug #2037002 reported by Vadym Markov
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Rodolfo Alonso

Bug Description

Update of Neutron object tags ignores policies for this object update. So, reader user can update tags for all objects of his project

Reproduced on Devstack - Yoga. Newer releases up to master have no changes here, so also should be affected

Steps to reproduce:
All operations in default alt_demo project, which has all needed users provisioned by default

1. Create network object, i.e. floating ip using alt_demo user - as project admin
2. Re-login as alt_demo_reader and try to update tags for this floating

Tags are updated successfully, but reader user has no rights for floating update - "update_floatingip" policy enabled for at least member

Bernard Cafarelli (bcafarel)
tags: added: access-control
Revision history for this message
Bernard Cafarelli (bcafarel) wrote :

It is possible tags slipped by in RBAC.

Though while trying to reproduce this (fresh devstack from 2023-09-22), I got an issue with more generic reader role: after "source ~/devstack/openrc alt_demo_reader alt_demo" I could still do admin commands (creating/deleting network, ports, ...)

Revision history for this message
Rodolfo Alonso (rodolfo-alonso-hernandez) wrote :

That's correct. The "tag" plugin has its own API paths (get_tags, update_tags, etc) that are not considered in the policy checks.

Changed in neutron:
status: New → Confirmed
Rodolfo Alonso (rodolfo-alonso-hernandez)
Changed in neutron:
assignee: nobody → Rodolfo Alonso (rodolfo-alonso-hernandez)
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/896509

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/896509
Committed: https://opendev.org/openstack/neutron/commit/f9b91289a5c2948429e69e1b58098cec846fba99
Submitter: "Zuul (22348)"
Branch: master

commit f9b91289a5c2948429e69e1b58098cec846fba99
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Sep 26 08:03:19 2023 +0000

    Add policy enforcer for "tags" service plugin

    The following resources have been updated with new policies for
    tags:
    * Port
    * Subnet
    * Network
    * Router
    * FloatingIP
    * NetworkSegmentRange
    * NetworkSegment
    * SecurityGroup
    * Trunk
    * Subnetpool

    The admin can now enforce specific policies for the resource tags
    for the creation, update and deletion actions.

    NOTE: a follow-up patch, with a new Launchpad bug reference, will
          be created to move the ``Tagging`` class from
          ``ExtensionDescriptor`` to ``APIExtensionDescriptor``, and
          refactor the ``TaggingController`` to be a standard
          ``neutron.api.v2.base.Controller``. Any API resource using
          the second controller will use the path used by the wsgi
          hooks, in particular the policy hook. That will make unnecessary
          to manually call the ``policy.enforce`` method from the
          extension class methods.

    Closes-Bug: #2037002
    Change-Id: I9f3e032739824f268db74c5a1b4f04d353742dbd

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 24.0.0.0b1

This issue was fixed in the openstack/neutron 24.0.0.0b1 development milestone.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron/+/923493

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/923493
Committed: https://opendev.org/openstack/neutron/commit/11cfa25d1386618c15a01977e004a7f5e0957944
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 11cfa25d1386618c15a01977e004a7f5e0957944
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Tue Sep 26 08:03:19 2023 +0000

    Add policy enforcer for "tags" service plugin

    The following resources have been updated with new policies for
    tags:
    * Port
    * Subnet
    * Network
    * Router
    * FloatingIP
    * NetworkSegmentRange
    * NetworkSegment
    * SecurityGroup
    * Trunk
    * Subnetpool

    The admin can now enforce specific policies for the resource tags
    for the creation, update and deletion actions.

    NOTE: a follow-up patch, with a new Launchpad bug reference, will
          be created to move the ``Tagging`` class from
          ``ExtensionDescriptor`` to ``APIExtensionDescriptor``, and
          refactor the ``TaggingController`` to be a standard
          ``neutron.api.v2.base.Controller``. Any API resource using
          the second controller will use the path used by the wsgi
          hooks, in particular the policy hook. That will make unnecessary
          to manually call the ``policy.enforce`` method from the
          extension class methods.

    Conflicts:
        neutron/tests/unit/conf/policies/test_network.py
        neutron/tests/unit/conf/policies/test_subnet.py
        neutron/tests/unit/conf/policies/test_subnetpool.py

    Closes-Bug: #2037002
    Change-Id: I9f3e032739824f268db74c5a1b4f04d353742dbd
    (cherry picked from commit f9b91289a5c2948429e69e1b58098cec846fba99)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/neutron 23.2.0

This issue was fixed in the openstack/neutron 23.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/936010

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/936036

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/2024.2)

Related fix proposed to branch: stable/2024.2
Review: https://review.opendev.org/c/openstack/neutron/+/936340

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/2024.1)

Related fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/neutron/+/936342

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron (stable/2023.2)

Related fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron/+/936344

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron-tempest-plugin (master)

Reviewed: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/936036
Committed: https://opendev.org/openstack/neutron-tempest-plugin/commit/4b97bdbc804aab5f21d3094b1537a310bbe3202c
Submitter: "Zuul (22348)"
Branch: master

commit 4b97bdbc804aab5f21d3094b1537a310bbe3202c
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Fri Nov 22 13:34:49 2024 +0000

    Use the admin client for the QoS tag tests

    By default, the network QoS policies can be created, updated
    and deleted only by an administrator. This patch changes the client
    used for these tests.

    Related-Bug: #2037002
    Change-Id: I37f46cf8f7991d49966d5e4a4598ed17ae7d392a

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/936010
Committed: https://opendev.org/openstack/neutron/commit/6aaf293ffd24555450ee9c416ec6b4890a91b40f
Submitter: "Zuul (22348)"
Branch: master

commit 6aaf293ffd24555450ee9c416ec6b4890a91b40f
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Fri Nov 22 11:07:26 2024 +0000

    Add policy enforcer for QoS policy "tags" service plugin

    This resource was missing in [1]. This patch should be backported
    up to 2023.2.

    [1]https://review.opendev.org/q/I9f3e032739824f268db74c5a1b4f04d353742dbd

    Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/936036

    Related-Bug: #2037002
    Change-Id: Ie6210f7dab4d54d734255d3ac2271cac99590f46

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/2024.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/936342
Committed: https://opendev.org/openstack/neutron/commit/2a637ad7672f4217bb31bb4adcd102ce041e19f9
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit 2a637ad7672f4217bb31bb4adcd102ce041e19f9
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Fri Nov 22 11:07:26 2024 +0000

    Add policy enforcer for QoS policy "tags" service plugin

    This resource was missing in [1]. This patch should be backported
    up to 2023.2.

    [1]https://review.opendev.org/q/I9f3e032739824f268db74c5a1b4f04d353742dbd

    Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/936036

    Conflicts:
        neutron/conf/policies/qos.py
        neutron/tests/unit/conf/policies/test_qos.py

    Related-Bug: #2037002
    Change-Id: Ie6210f7dab4d54d734255d3ac2271cac99590f46
    (cherry picked from commit 6aaf293ffd24555450ee9c416ec6b4890a91b40f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/2024.2)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/936340
Committed: https://opendev.org/openstack/neutron/commit/ad479cf8277ce395ecdaa605e6359831d8c5d638
Submitter: "Zuul (22348)"
Branch: stable/2024.2

commit ad479cf8277ce395ecdaa605e6359831d8c5d638
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Fri Nov 22 11:07:26 2024 +0000

    Add policy enforcer for QoS policy "tags" service plugin

    This resource was missing in [1]. This patch should be backported
    up to 2023.2.

    [1]https://review.opendev.org/q/I9f3e032739824f268db74c5a1b4f04d353742dbd

    Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/936036

    Related-Bug: #2037002
    Change-Id: Ie6210f7dab4d54d734255d3ac2271cac99590f46
    (cherry picked from commit 6aaf293ffd24555450ee9c416ec6b4890a91b40f)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to neutron (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/936344
Committed: https://opendev.org/openstack/neutron/commit/cbc01c0637df4200bff756013d694ae13c93e298
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit cbc01c0637df4200bff756013d694ae13c93e298
Author: Rodolfo Alonso Hernandez <email address hidden>
Date: Fri Nov 22 11:07:26 2024 +0000

    Add policy enforcer for QoS policy "tags" service plugin

    This resource was missing in [1]. This patch should be backported
    up to 2023.2.

    [1]https://review.opendev.org/q/I9f3e032739824f268db74c5a1b4f04d353742dbd

    Depends-On: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/936036

    Conflicts:
        neutron/conf/policies/qos.py
        neutron/tests/unit/conf/policies/test_qos.py

    Related-Bug: #2037002
    Change-Id: Ie6210f7dab4d54d734255d3ac2271cac99590f46
    (cherry picked from commit 6aaf293ffd24555450ee9c416ec6b4890a91b40f)
    (cherry picked from commit 2a637ad7672f4217bb31bb4adcd102ce041e19f9)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.