Reviewed: https://review.opendev.org/c/openstack/neutron/+/798821 Committed: https://opendev.org/openstack/neutron/commit/f6c3747caeac08df9d865312686be8eccb7f0472 Submitter: "Zuul (22348)" Branch: master
commit f6c3747caeac08df9d865312686be8eccb7f0472 Author: Slawek Kaplonski <[email protected]> Date: Wed Jun 30 11:28:36 2021 +0200 Use elevated context to get default SG from database With new system/project scopes it may happen that project admin will try to list security groups for different project and during that call Neutron will ensure that default security group is created. In such case elevated context needs to be used to get SG object from the database otherwise, SG will not be found and error 500 will be returned through the API. Use of elevated context is fine here as if user don't have access to the SG, it will be filtered out by policy mechanism and it will not be returned through API. Closes-Bug: #1934115 Change-Id: I0ca07d1a1aaf05c1992aea9e29575580d7933324 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1934115 Title: List security groups by project admin may return 500 Status in neutron: Fix Released Bug description: When new RBAC policies and scopes are enforced in Neutron, there are system and project admins and project admin don't have access to resources from other projects. Now, when project admin tries to list security groups for other project, empty list should be returned but as Neutron tries to ensure that default security group for that project is created it may happen that request will go to https://github.com/openstack/neutron/blob/25207ed9c0d929aa79270a118983c04f3476afc4/neutron/db/securitygroups_db.py#L144 and as it will return None for project admin, request will fail and error 500 will be returned. In such case I think that context.elevated() should be used to get SG from DB. If user don't have permission to see it, it will be filtered out later by policy. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1934115/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
