Reviewed: https://review.opendev.org/c/openstack/neutron/+/834171 Committed: https://opendev.org/openstack/neutron/commit/60bc6c7a992383cecaf7dcf425668a6ea92b151b Submitter: "Zuul (22348)" Branch: master
commit 60bc6c7a992383cecaf7dcf425668a6ea92b151b Author: Slawek Kaplonski <[email protected]> Date: Thu Mar 17 14:33:41 2022 +0100 [API] Return 403 for POST requests when user is not authorized In the policy_enforcement module if policy.enforce() will raise PolicyNotAuthorized exception, there is additional check if user is trying to modify own or someone else resource. In case when user is not allowed to show resource even, error 404 is raised to "hide" any information about requested resource. But that was also the case for POST (create resource) requests and 404 error when user is trying e.g. create network is confusing. So this patch modifies that logic and in case of "create_" actions it will return 403 if user was not authorized to do such operation. Closes-Bug: #1965294 Change-Id: I80b0616c335134a564361137b2a00ff86dcbdf1c ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1965294 Title: [Secure RBAC] Create network error due to role without permissions isn't clear Status in neutron: Fix Released Bug description: Bug originally reported by Candido Campos in https://bugzilla.redhat.com/show_bug.cgi?id=2063867 Description of problem: Captured traceback: ~~~~~~~~~~~~~~~~~~~ Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/tempest/common/utils/__init__.py", line 89, in wrapper return func(*func_args, **func_kwargs) File "/usr/lib/python3.6/site-packages/neutron_tempest_plugin/scenario/test_internal_dns.py", line 38, in test_dns_domain_and_name network = self.create_network(dns_domain='starwars.') File "/usr/lib/python3.6/site-packages/neutron_tempest_plugin/api/base.py", line 379, in create_network network = client.create_network(name=name, **kwargs)['network'] File "/usr/lib/python3.6/site-packages/neutron_tempest_plugin/services/network/json/network_client.py", line 146, in _create resp, body = self.post(uri, post_data) File "/usr/lib/python3.6/site-packages/tempest/lib/common/rest_client.py", line 299, in post return self.request('POST', url, extra_headers, headers, body, chunked) File "/usr/lib/python3.6/site-packages/tempest/lib/common/rest_client.py", line 703, in request self._error_checker(resp, resp_body) File "/usr/lib/python3.6/site-packages/tempest/lib/common/rest_client.py", line 809, in _error_checker raise exceptions.NotFound(resp_body, resp=resp) tempest.lib.exceptions.NotFound: Object not found Details: {'type': 'HTTPNotFound', 'message': 'The resource could not be found.', 'detail': ''} Version-Release number of selected component (if applicable): How reproducible: 90 openstack project create --domain default --description "Demo Project" myproject 91 openstack user create --domain default --password-prompt myuser 92 openstack role create myrole 93 openstack role add --project myproject --user myuser myrole openstack network create test To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1965294/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
