Reviewed:  https://review.opendev.org/c/openstack/neutron/+/798821
Committed: 
https://opendev.org/openstack/neutron/commit/f6c3747caeac08df9d865312686be8eccb7f0472
Submitter: "Zuul (22348)"
Branch:    master

commit f6c3747caeac08df9d865312686be8eccb7f0472
Author: Slawek Kaplonski <[email protected]>
Date:   Wed Jun 30 11:28:36 2021 +0200

    Use elevated context to get default SG from database
    
    With new system/project scopes it may happen that project admin
    will try to list security groups for different project and during
    that call Neutron will ensure that default security group is created.
    
    In such case elevated context needs to be used to get SG object from
    the database otherwise, SG will not be found and error 500 will be
    returned through the API.
    
    Use of elevated context is fine here as if user don't have access to
    the SG, it will be filtered out by policy mechanism and it will not
    be returned through API.
    
    Closes-Bug: #1934115
    Change-Id: I0ca07d1a1aaf05c1992aea9e29575580d7933324


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1934115

Title:
  List security groups by project admin may return 500

Status in neutron:
  Fix Released

Bug description:
  When new RBAC policies and scopes are enforced in Neutron, there are system 
and project admins and project admin don't have access to resources from other 
projects.
  Now, when project admin tries to list security groups for other project, 
empty list should be returned but as Neutron tries to ensure that default 
security group for that project is created it may happen that request will go 
to 
https://github.com/openstack/neutron/blob/25207ed9c0d929aa79270a118983c04f3476afc4/neutron/db/securitygroups_db.py#L144
 and as it will return None for project admin, request will fail and error 500 
will be returned.

  In such case I think that context.elevated() should be used to get SG
  from DB. If user don't have permission to see it, it will be filtered
  out later by policy.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1934115/+subscriptions


-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to