Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/825088 Committed: https://opendev.org/openstack/neutron-lib/commit/cf54989be21e1229eae6a34af5b84c2bfc5aface Submitter: "Zuul (22348)" Branch: master
commit cf54989be21e1229eae6a34af5b84c2bfc5aface Author: yatinkarel <[email protected]> Date: Tue Jan 18 10:45:17 2022 +0000 Enforce policy for qos_policy_id attribute Currently while updating 'qos_policy_id', authorization policies are not enforced and as a result it can be set or unset over port/network/fip by an unauthorized user. This patch fixes it by setting 'enforce_policy' to True for this attribute. Closes-Bug: #1957175 Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1957175 Title: Regular user can remove qos from a port despite the policy Status in neutron: Fix Released Bug description: We use neutron stable/stein release with ml2/ovs plugin. From the admin role, we assign qos policy with bandwidth limit to the ports of virtual machines. In oslo policies, we forbid users to change this qos. "update_port:qos_policy_id": "rule:admin_only" But users, despite the policy can remove the qos from the ports by entering the command openstack port unset <port_id> --qos-policy This happens because in qos api definition (neutron_lib) for port does not set "enforce_policy" flag. https://github.com/openstack/neutron-lib/blob/master/neutron_lib/api/definitions/qos.py#L91 Is this done on purpose by neutron api design or is it a bug? To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1957175/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
