Reviewed: https://review.opendev.org/c/openstack/neutron/+/896509 Committed: https://opendev.org/openstack/neutron/commit/f9b91289a5c2948429e69e1b58098cec846fba99 Submitter: "Zuul (22348)" Branch: master
commit f9b91289a5c2948429e69e1b58098cec846fba99 Author: Rodolfo Alonso Hernandez <[email protected]> Date: Tue Sep 26 08:03:19 2023 +0000 Add policy enforcer for "tags" service plugin The following resources have been updated with new policies for tags: * Port * Subnet * Network * Router * FloatingIP * NetworkSegmentRange * NetworkSegment * SecurityGroup * Trunk * Subnetpool The admin can now enforce specific policies for the resource tags for the creation, update and deletion actions. NOTE: a follow-up patch, with a new Launchpad bug reference, will be created to move the ``Tagging`` class from ``ExtensionDescriptor`` to ``APIExtensionDescriptor``, and refactor the ``TaggingController`` to be a standard ``neutron.api.v2.base.Controller``. Any API resource using the second controller will use the path used by the wsgi hooks, in particular the policy hook. That will make unnecessary to manually call the ``policy.enforce`` method from the extension class methods. Closes-Bug: #2037002 Change-Id: I9f3e032739824f268db74c5a1b4f04d353742dbd ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2037002 Title: Reader can update object tag Status in neutron: Fix Released Bug description: Update of Neutron object tags ignores policies for this object update. So, reader user can update tags for all objects of his project Reproduced on Devstack - Yoga. Newer releases up to master have no changes here, so also should be affected Steps to reproduce: All operations in default alt_demo project, which has all needed users provisioned by default 1. Create network object, i.e. floating ip using alt_demo user - as project admin 2. Re-login as alt_demo_reader and try to update tags for this floating Tags are updated successfully, but reader user has no rights for floating update - "update_floatingip" policy enabled for at least member To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2037002/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
