Reviewed: https://review.opendev.org/c/openstack/neutron/+/865032 Committed: https://opendev.org/openstack/neutron/commit/0ef4f988254457ae460f192a334ccd6776688afb Submitter: "Zuul (22348)" Branch: master
commit 0ef4f988254457ae460f192a334ccd6776688afb Author: Slawek Kaplonski <[email protected]> Date: Fri Nov 18 16:04:01 2022 +0100 Remove policy rule for get_network:router:external In legacy RBAC rules get of the network's router:external attribute was available for everyone (rule:regular_user). In new S-RBAC rules it was done to be available for admin users and for PROJECT_READER. This didn't really had the same result as router:external attribute wasn't visible for networks which belongs to other project. Networks which are set to be external are automatically shared with all other projects and each user from such project should be able to check every of visible networks if it is external or not. In overall, extra policy rule for "get_network:router:external" isn't really necessary and this patch removes it. Closes-Bug: #1996836 Change-Id: I5fe4a0134c6ecf5cf28e2f5d59411134546c98b0 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1996836 Title: With new RBAC enabled (enforce_scope and enforce_new_defaults): 'router:external' field is missing in network list response Status in neutron: Fix Released Bug description: I was testing the tempest with the new RBAC enabled which means in neutron.conf enable the below options: [oslo_policy] enforce_scope = True enforce_new_defaults = True https://zuul.opendev.org/t/openstack/build/e447385546c749f8b38bc4c411088dc1/log/controller/logs/etc/neutron/neutron_conf.txt#1928 Tempest external network tests doing the list network but 'router:external' field is missing in network list response - https://zuul.opendev.org/t/openstack/build/e447385546c749f8b38bc4c411088dc1/log/job- output.txt#23754 policy defaults for 'router:external' seems fine - https://github.com/openstack/neutron/blob/bf44e70db6219e7f3a45bd61b7dd14a31ae33bb0/neutron/conf/policies/network.py#L193 But it seems enforce_scope is restricting it somewhere, is this check in context causing not to return it? - https://github.com/openstack/neutron-lib/blob/9ecd5995b6c598cee931087bf13fdd166f404034/neutron_lib/context.py#L125 We should not add system:all in neutron as system scope is not supported in neutron policy now. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1996836/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
