neutron

  1. Bug #2052937
  2. Comment #5

Comment 5 for bug 2052937

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/909075
Committed: https://opendev.org/openstack/neutron/commit/a644b3c62bab1ad3f1abb892811c00cf385415f9
Submitter: "Zuul (22348)"
Branch: master

commit a644b3c62bab1ad3f1abb892811c00cf385415f9
Author: Slawek Kaplonski <email address hidden>
Date: Thu Feb 15 09:50:27 2024 +0100

    [S-RBAC] Change policies for port's binding:profile field

    According to the neutron API-REF [1] port's "binding:profile" field is
    intended to be used for the "machine-machine communication for compute
    services like Nova, Ironic or Zun to pass information to a Neutron
    back-end." so it should be by allowed only for the users with the
    SERVICE role granted, not even for ADMIN.
    This patch updates that policies to be available only for SERVICE role
    when new, secure RBAC policies are enabled.

    Additionally this patch updates some policies for create, update and get
    port APIs to make them all work in the same way and allow them for the
    SERVICE users too.

    Finally this new policy for create/update_port:binding:profile have to
    be overwritten in the fullstack tests to be allowed also for admin user.
    It is done by adding custom policy file for the fullstack tests only.

    [1] https://docs.openstack.org/api-ref/network/v2/index.html#create-port

    Closes-Bug: #2052937
    Change-Id: I5c0094ff21439fe8977cfc623789a09067e6a895