Reviewed: https://review.opendev.org/c/openstack/neutron/+/884613 Committed: https://opendev.org/openstack/neutron/commit/61b358b6b5ac160c38af66b07454c26d6a93a0bd Submitter: "Zuul (22348)" Branch: master
commit 61b358b6b5ac160c38af66b07454c26d6a93a0bd Author: Slawek Kaplonski <[email protected]> Date: Mon May 29 14:28:46 2023 +0200 [S-RBAC] Add API policies for get and activate port bindings There wasn't policies for get port binding and activate port binding API calls defined at all. When we switched to new default policies and regular user wanted to make call to activate port binding, it was error 500 what we returned instead of proper 4xx error. It was like that as "get_port_binding" call which was done internally during "activate" API request falled back to the default policy which is "admin_or_owner" and as port binding resource don't have project_id, owner couldn't be checked there. Now it has defined S-RBAC policies for those API calls and it is allowed for admin users only to solve that problem. This patch don't define old, deprecated policies for those API calls as it wasn't really needed there and we already switched to new policies by default now. Closes-Bug: #2013326 Change-Id: Id281e4950dc5d7bac62dfa8175d82cb1f8d2e855 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2013326 Title: Trying to activate port binding as regular user causes error 500 Status in neutron: Fix Released Bug description: doing API request like: curl -g -i -X PUT -H "Accept: application/json" -H "User-Agent: openstacksdk/1.0.1 keystoneauth1/5.1.2 python-requests/2.28.2 CPython/3.10.6" -H "X-Auth-Token: $token" "http://10.120.0.40:9696/networking/v2.0/ports/e62c5fdf-265c-47d4-bf39-efce382b93bf/bindings/devstack- ubuntu-ovn/activate" will result in error 500 returned from Neutron: curl -g -i -X PUT -H "Accept: application/json" -H "User-Agent: openstacksdk/1.0.1 keystoneauth1/5.1.2 python-requests/2.28.2 CPython/3.10.6" -H "X-Auth-Token: $token" "http://10.120.0.40:9696/networking/v2.0/ports/e62c5fdf-265c-47d4-bf39-efce382b93bf/bindings/devstack-ubuntu-ovn/activate"; HTTP/1.1 500 Internal Server Error Content-Type: application/json Content-Length: 212 X-Openstack-Request-Id: req-f185fcde-ab73-4b27-97fc-a3f6fef18541 Date: Thu, 30 Mar 2023 10:14:25 GMT {"NeutronError": {"type": "PolicyCheckError", "message": "Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found.", "detail": ""}}% Stacktrace in Neutron log: Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: DEBUG neutron.policy [None req-f185fcde-ab73-4b27-97fc-a3f6fef18541 demo demo] Unable to find ':' as separator in tenant_id. {{(pid=235848) __call__ /opt/stack/neutron/neutron/policy.py:337}} Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.policy [None req-f185fcde-ab73-4b27-97fc-a3f6fef18541 demo demo] Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource [None req-f185fcde-ab73-4b27-97fc-a3f6fef18541 demo demo] activate failed: No details.: neutron_lib.exceptions.PolicyCheckError: Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found. Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource Traceback (most recent call last): Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/resource.py", line 98, in resource Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource result = method(request=request, **args) Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/neutron_lib/db/api.py", line 140, in wrapped Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource with excutils.save_and_reraise_exception(): Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 227, in __exit__ Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource self.force_reraise() Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource raise self.value Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/neutron_lib/db/api.py", line 138, in wrapped Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return f(*args, **kwargs) Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_db/api.py", line 144, in wrapper Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource with excutils.save_and_reraise_exception() as ectxt: Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 227, in __exit__ Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource self.force_reraise() Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource raise self.value Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_db/api.py", line 142, in wrapper Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return f(*args, **kwargs) Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/neutron_lib/db/api.py", line 186, in wrapped Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource with excutils.save_and_reraise_exception(): Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 227, in __exit__ Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource self.force_reraise() Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_utils/excutils.py", line 200, in force_reraise Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource raise self.value Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/neutron_lib/db/api.py", line 184, in wrapped Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return f(*dup_args, **dup_kwargs) Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 234, in _handle_action Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource resource = self._item(request, Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/api/v2/base.py", line 358, in _item Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource policy.enforce(request.context, Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/policy.py", line 520, in enforce Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource result = _ENFORCER.enforce(rule, target, context, action=action, Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/policy.py", line 1049, in enforce Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource result = _checks._check( Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 80, in _check Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return rule(*rule_args) Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 257, in __call__ Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return _check( Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 80, in _check Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return rule(*rule_args) Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 257, in __call__ Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return _check( Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 80, in _check Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return rule(*rule_args) Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 213, in __call__ Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource if _check(rule, target, cred, enforcer, current_rule): Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 80, in _check Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return rule(*rule_args) Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 257, in __call__ Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return _check( Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/usr/local/lib/python3.10/dist-packages/oslo_policy/_checks.py", line 80, in _check Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource return rule(*rule_args) Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource File "/opt/stack/neutron/neutron/policy.py", line 361, in __call__ Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource raise exceptions.PolicyCheckError( Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource neutron_lib.exceptions.PolicyCheckError: Failed to check policy tenant_id:%(tenant_id)s because Unable to verify match:%(tenant_id)s as the parent resource: tenant was not found. Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: ERROR neutron.api.v2.resource Mar 30 12:14:25 devstack-ubuntu-ovn neutron-server[235848]: INFO neutron.wsgi [None req-f185fcde-ab73-4b27-97fc-a3f6fef18541 demo demo] 10.120.0.40 "PUT /networking/v2.0/ports/e62c5fdf-265c-47d4-bf39-efce382b93bf/bindings/devstack-ubuntu-ovn/activate HTTP/1.1" status: 500 len: 406 time: 0.4082420 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2013326/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
