[Yahoo-eng-team] [Bug 1934115] [NEW] List security groups by project admin may return 500

Wed, 30 Jun 2021 02:26:27 -0700 

Public bug reported:

When new RBAC policies and scopes are enforced in Neutron, there are system and 
project admins and project admin don't have access to resources from other 
projects.
Now, when project admin tries to list security groups for other project, empty 
list should be returned but as Neutron tries to ensure that default security 
group for that project is created it may happen that request will go to 
https://github.com/openstack/neutron/blob/25207ed9c0d929aa79270a118983c04f3476afc4/neutron/db/securitygroups_db.py#L144
 and as it will return None for project admin, request will fail and error 500 
will be returned.

In such case I think that context.elevated() should be used to get SG
from DB. If user don't have permission to see it, it will be filtered
out later by policy.

** Affects: neutron
     Importance: Medium
     Assignee: Slawek Kaplonski (slaweq)
         Status: Confirmed


** Tags: api

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1934115

Title:
  List security groups by project admin may return 500

Status in neutron:
  Confirmed

Bug description:
  When new RBAC policies and scopes are enforced in Neutron, there are system 
and project admins and project admin don't have access to resources from other 
projects.
  Now, when project admin tries to list security groups for other project, 
empty list should be returned but as Neutron tries to ensure that default 
security group for that project is created it may happen that request will go 
to 
https://github.com/openstack/neutron/blob/25207ed9c0d929aa79270a118983c04f3476afc4/neutron/db/securitygroups_db.py#L144
 and as it will return None for project admin, request will fail and error 500 
will be returned.

  In such case I think that context.elevated() should be used to get SG
  from DB. If user don't have permission to see it, it will be filtered
  out later by policy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1934115/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to