Reviewed: https://review.opendev.org/652636 Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=039691220817db3519149b5e2fd2607365f3d8af Submitter: Zuul Branch: master
commit 039691220817db3519149b5e2fd2607365f3d8af Author: Slawek Kaplonski <[email protected]> Date: Mon Apr 15 14:17:27 2019 +0200 Fix handling of network:shared field in policy module Some policy rules e.g. for create_port are using rule "network:shared" in which "shared" field is related to network resource instead of port directly. Because of that, "shared" was missing from "target" in policy enforce module thus validation wasn't working properly for such rule. This patch fixes it by adding to FieldCheck checker possibility to get network object and use its "shared" field to validate policy. Change-Id: I56c99883fce40c37a5ee26e6e661c0cc0783c42f Closes-Bug: #1808112 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1808112 Title: rule:shared is not respected in port/subnet create Status in neutron: Fix Released Bug description: In neutron policy.json there are rules like: "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared" but when I'm trying to create port with given subnet_id (but without ip_address) as regular user, I can't do that because policy.json forbid me that. I got an error like: [09:53:12] vagrant@devstack-ubuntu-ovs ~ $ openstack port create public_port --network public --fixed-ip subnet=1fc0a48d-f182-4bb0-b5d0-2dac8d1c6929 HttpException: 403: Client Error for url: http://10.0.0.10:9696/v2.0/ports, (rule:create_port and rule:create_port:fixed_ips) is disallowed by policy Even if I changed first of those rules to be like: "create_port:fixed_ips": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", it is still failing and I think that it's because rule:shared is related to network but during this POST call, target enforced by policy is port and port resource don't have shared field at all. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1808112/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
