Reviewed: https://review.openstack.org/255285 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=67abf5f9f0e957150dd3b3b673094845810f9ea1 Submitter: Jenkins Branch: master
commit 67abf5f9f0e957150dd3b3b673094845810f9ea1 Author: lzklibj <[email protected]> Date: Wed Dec 9 21:52:05 2015 +0800 RBAC: Fix port query and deletion for network owner Network owner should be able to get all ports and delete ports on network as policy allowed. But current code fails to support this. Current model query for Port is still based on tenant_id, it forgets to check for network owner when context tenant_id is not port owner. For port_delete action, policy will generate checking rules for port attributes, such as: rule:delete_port:binding:vif_details rule:delete_port:binding:vif_type This doesn't make sense, only single policy rule "rule:delete_port" is enough to check. This patch fixes this issue. Co-Authored-By: Kevin Benton <[email protected]> Change-Id: I55328cb43207654b9bb4cfb732923982d020ab0a Closes-Bug: #1498790 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1498790 Title: rbac: can't delete other tenant's port on own network if not admin Status in neutron: Fix Released Bug description: It's not possible to delete a port that belongs to another tenant if the caller isn't an admin even if he/she owns the network. This is supposed to be possible according to the spec. See the last sentence here in this section: http://specs.openstack.org/openstack /neutron-specs/specs/liberty/rbac-networks.html#proposed-change To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1498790/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
