neutron

Validation of the auto allocated topology for member/reader user don't works with new S-RBAC policies

Bug #2066369 reported by Slawek Kaplonski
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
neutron
Fix Released
High
Slawek Kaplonski

Bug Description

Due to missing 'project_id' field in the response generated by the AutoAllocatedTopologyMixin.get_auto_allocated_topology method when 'dry-run' is called, response send to the user is 404 as it don't pass policy enforcement.

We need to add both 'project_id' and 'tenant_id' fields there.

There is no problem with that when admin user runs this validation from the API. We found it by running test tempest.api.compute.admin.test_auto_allocate_network.AutoAllocateNetworkTest.test_server_multi_create_auto_allocate is passing in our downstream CI job where this test was failing for us always.

In u/s ci jobs which are using enforcing of new defaults (neutron_tempest_plugin) jobs we don't run this test and that's why we did not catch it there.
In jobs like tempest-integrated-networking we skip this test because there is shared network found and apparently this is reason to skip it there too.

We can cover this by adding simple api test in the neutron_tempest_plugin.api tests to just call

curl -g -i -X GET http://10.120.0.40:9696/networking/v2.0/auto-allocated-topology/57bea41fe8f34eee8ba1cc26359fc08a?fields=dry-run -H "User-Agent: openstacksdk/3.1.0 keystoneauth1/5.6.0 python-requests/2.31.0 CPython/3.10.12" -H "X-Auth-Token: {SHA256}5a03508585ca03c6f127d8e052f2680778255e743345c660b9128929e22494c3"

Tags: api
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron/+/920174

Changed in neutron:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to neutron-tempest-plugin (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/neutron-tempest-plugin/+/920177

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (master)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/920174
Committed: https://opendev.org/openstack/neutron/commit/dfc01beab22f1c2b977d3e399c3fcda69a72082d
Submitter: "Zuul (22348)"
Branch: master

commit dfc01beab22f1c2b977d3e399c3fcda69a72082d
Author: Slawek Kaplonski <email address hidden>
Date: Wed May 22 15:28:05 2024 +0200

    Return both project_id when validating auto allocate network

    When neutron API is called to check requirements for the auto_allocate
    topology, it needs to return not only 'tenant_id' field but also
    'project_id' as that is required for the policy enforcement.
    Without this 'project_id' field requirements check was failing for
    member and reader users as they got 404 from the Neutron API. And the
    reason why Neutron was returning 404 was that it wasn't passing policy
    enforcement due to missing project_id field in the 'target' object.

    Closes-bug: #2066369
    Change-Id: Idf96a82bc6c8cb0b47dfde3baba94b42a8a8beba

Changed in neutron:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/neutron/+/920360

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/neutron/+/920481

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to neutron (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/neutron/+/920482

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2024.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/920360
Committed: https://opendev.org/openstack/neutron/commit/d8208fc51482737a2aeed2a1c5e61737a2808d94
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit d8208fc51482737a2aeed2a1c5e61737a2808d94
Author: Slawek Kaplonski <email address hidden>
Date: Wed May 22 15:28:05 2024 +0200

    Return both project_id when validating auto allocate network

    When neutron API is called to check requirements for the auto_allocate
    topology, it needs to return not only 'tenant_id' field but also
    'project_id' as that is required for the policy enforcement.
    Without this 'project_id' field requirements check was failing for
    member and reader users as they got 404 from the Neutron API. And the
    reason why Neutron was returning 404 was that it wasn't passing policy
    enforcement due to missing project_id field in the 'target' object.

    Closes-bug: #2066369
    Change-Id: Idf96a82bc6c8cb0b47dfde3baba94b42a8a8beba
    (cherry picked from commit dfc01beab22f1c2b977d3e399c3fcda69a72082d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/920482
Committed: https://opendev.org/openstack/neutron/commit/75eefdbc69e40f9d73211852cc729bb91bb73693
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 75eefdbc69e40f9d73211852cc729bb91bb73693
Author: Slawek Kaplonski <email address hidden>
Date: Wed May 22 15:28:05 2024 +0200

    Return both project_id when validating auto allocate network

    When neutron API is called to check requirements for the auto_allocate
    topology, it needs to return not only 'tenant_id' field but also
    'project_id' as that is required for the policy enforcement.
    Without this 'project_id' field requirements check was failing for
    member and reader users as they got 404 from the Neutron API. And the
    reason why Neutron was returning 404 was that it wasn't passing policy
    enforcement due to missing project_id field in the 'target' object.

    Closes-bug: #2066369
    Change-Id: Idf96a82bc6c8cb0b47dfde3baba94b42a8a8beba
    (cherry picked from commit dfc01beab22f1c2b977d3e399c3fcda69a72082d)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/neutron/+/920481
Committed: https://opendev.org/openstack/neutron/commit/de0e7341a9bc9eb4435ebbf5eeda5f3e39b18f18
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit de0e7341a9bc9eb4435ebbf5eeda5f3e39b18f18
Author: Slawek Kaplonski <email address hidden>
Date: Wed May 22 15:28:05 2024 +0200

    Return both project_id when validating auto allocate network

    When neutron API is called to check requirements for the auto_allocate
    topology, it needs to return not only 'tenant_id' field but also
    'project_id' as that is required for the policy enforcement.
    Without this 'project_id' field requirements check was failing for
    member and reader users as they got 404 from the Neutron API. And the
    reason why Neutron was returning 404 was that it wasn't passing policy
    enforcement due to missing project_id field in the 'target' object.

    Closes-bug: #2066369
    Change-Id: Idf96a82bc6c8cb0b47dfde3baba94b42a8a8beba
    (cherry picked from commit dfc01beab22f1c2b977d3e399c3fcda69a72082d)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.