Reviewed: https://review.opendev.org/c/openstack/neutron/+/938135 Committed: https://opendev.org/openstack/neutron/commit/d2a3654e0184c6f8ba19e053fe0177ca2792f37b Submitter: "Zuul (22348)" Branch: master
commit d2a3654e0184c6f8ba19e053fe0177ca2792f37b Author: Slawek Kaplonski <[email protected]> Date: Fri Dec 20 16:14:30 2024 +0100 Make API policies for tags to be working with resource attributes This patch changes API policies for tags added with [1] but as "target" to the policy.enforce() function there was only parent's id passed, not the whole parent dictionary. Because of that policies related to tags couldn't match on the parent's attributes, like e.g. network's "shared" attribute. This patch changes that so now the dict with all attributes used potentially by the API policies is passed as target to the policy.enforce() Additionally this patch changes names of the actions related to the tags in the API policy rules. Patch [1] introduced names like "<action>_<resource_plural_name>_tags", for example "update_networks_tags". This patch changes that to the pattern "<action>_<resource_singular>:tags", for example: "update_network:tags" as this is now consistent with all other actions and attributes in the API policies in Neutron APIs. Finally it also renames "parent" to the "obj" in the tagging extension to not treat resources like e.g. network or port, etc. as parent of the tag. Tag is more like attribute of that resource, not the child resource of it. [1] https://review.opendev.org/c/openstack/neutron/+/935883 Closes-bug: #2091493 Change-Id: I665ed178e4a2e01d7f94cac6b9d3b482c3ed17a8 ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2091493 Title: Field check does not work for tagging policies Status in neutron: Fix Released Bug description: I use neutron 2023.2 and try to configure custom rule for policy: update_network_tags Default value is : update_network_tags: "rule:admin_only or role:member and project_id:%(project_id)s" I try to use fields check (for example prohibit updating tags for shared networks): update_network_tags: "rule:admin_only or (role:member and project_id:%(project_id)s and field:networks:shared=False)" However it leads to constant 403 Forbidden answer for user with rile member. It looks like "target" dictionary has not enough information for specified resource: https://github.com/openstack/neutron/blob/master/neutron/extensions/tagging.py#L142 Moreover the same issue (missed resource fields in "target") is relevant for other tagging policies, like subnet, port, router, floatingip. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2091493/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
