Reviewed: https://review.opendev.org/c/openstack/neutron/+/865040 Committed: https://opendev.org/openstack/neutron/commit/6d8ada0ac93beed05b45adb9582c3ef23bef49d2 Submitter: "Zuul (22348)" Branch: master
commit 6d8ada0ac93beed05b45adb9582c3ef23bef49d2 Author: Slawek Kaplonski <[email protected]> Date: Mon Nov 21 15:32:21 2022 +0100 [S-RBAC] Allow admin user to do all API requests by default By default ADMIN user in the new Secure RBAC policies should behave in the same way as in the legacy rules so basically every API operation for any project should be allowed for ADMIN user. In the new rules there are roles like PROJECT_MEMBER and PROJECT_READER and those personas don't inherits directly from ADMIN which means that if something is possible to e.g. PROJECT_MEMBER it isn't automatically also allowed to ADMIN and we need to explicitly allow ADMIN user to do such requests. It was done like that for many of API calls already but not for all of them (probably by mistake). This patch introduces new composite check ADMIN_OR_PROJECT_MEMBER and uses it in the check strings where ADMIN or PROJECT_MEMBER user is allowed to use the API. It also changes some of the check strings which used "policy_or" to combine ADMIN and PROJECT_MEMBER or PROJECT_READER so that those composite checks ADMIN_OR_PROJECT_MEMBER and ADMIN_OR_PROJECT_READER are used everywhere. Closes-Bug: #1997089 Change-Id: Iab5cd6c7aa07ca8527c5fa8396c9ed0da65b4fa7 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1997089 Title: With new RBAC enabled (enforce_scope and enforce_new_defaults): some security groups aren't visible for admin user Status in neutron: Fix Released Bug description: See failed test tempest.api.compute.admin.test_security_groups.SecurityGroupsTestAdminJSON.test_list_security_groups_list_all_tenants_filter in https://storage.gra.cloud.ovh.net/v1/AUTH_dcaab5e32b234d56b626f72581e3644c/zuul_opendev_logs_63d/614484/10/check/tempest- full-enforce-scope-new-defaults/63d64d6/testr_results.html Failure: Traceback (most recent call last): File "/opt/stack/tempest/tempest/common/utils/__init__.py", line 70, in wrapper return f(*func_args, **func_kwargs) File "/opt/stack/tempest/tempest/api/compute/admin/test_security_groups.py", line 86, in test_list_security_groups_list_all_tenants_filter self.assertIn(sec_group['id'], sec_group_id_list) File "/opt/stack/tempest/.tox/tempest/lib/python3.8/site-packages/testtools/testcase.py", line 399, in assertIn self.assertThat(haystack, Contains(needle), message) File "/opt/stack/tempest/.tox/tempest/lib/python3.8/site-packages/testtools/testcase.py", line 480, in assertThat raise mismatch_error testtools.matchers._impl.MismatchError: '0596ea46-0609-4d40-b42a-e24d4882709b' not in ['5bb547c6-e27c-4be9-8599-dcb47b253e3e', '21c2add9-c4ee-40bb-8888-42c408f677a9', '0acc8817-d8ed-44cf-8728-c43cae604c7e'] To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1997089/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
