Reviewed: https://review.opendev.org/c/openstack/neutron/+/882688
Committed:
https://opendev.org/openstack/neutron/commit/be0dc09d52efd5e7236a33be552edb6644371cd0
Submitter: "Zuul (22348)"
Branch: master
commit be0dc09d52efd5e7236a33be552edb6644371cd0
Author: Slawek Kaplonski <skapl...@redhat.com>
Date: Tue May 9 12:28:03 2023 +0200
[S-RBAC] Fix new policies for get QoS rules APIs
During transition to the new secure RBAC API policies, we made mistake
with policies for QoS rules by defining them to be available for
ADMIN_OR_PROJECT_READER. This can't be like that as QoS rules don't have
tenant_id attribute and belongs always to the owner of the QoS policy.
To fix that, this patch introduces new rules:
ADMIN_OR_PARENT_OWNER_READER
ADMIN_OR_PARENT_OWNER_MEMBER
and uses those in the QoS rules APIs.
Closes-Bug: #2018727
Change-Id: I522aeab5094b3f4854303d5e18f3abf6130fb33c
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2018727
Title:
[SRBAC] API policies for get_policy_*_rule are wrong
Status in neutron:
Fix Released
Bug description:
With new defaults policies for get QoS rules are set to
ADMIN_OR_PROJECT_READER but that's wrong as rules don't have owner.
Those API rules should be based on the parent owner (qos_policy)
always.
Those tests are skipped currently in our CI job neutron-tempest-
plugin-openvswitch-enforce-scope-new-defaults due to other bug
(https://bugs.launchpad.net/neutron/+bug/2018585).
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2018727/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
