Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/942064 Committed: https://opendev.org/openstack/neutron-lib/commit/bf21a6dcd48bdd15c28086f256319ac035b7fef0 Submitter: "Zuul (22348)" Branch: master
commit bf21a6dcd48bdd15c28086f256319ac035b7fef0 Author: Rodolfo Alonso Hernandez <[email protected]> Date: Tue Feb 18 06:43:19 2025 +0000 Fix ``external-gateway-multihoming`` API extension definition The new field ``external-gateways`` added in the API extension ``external-gateway-multihoming`` didn't have the ``enforce_policy`` flag defined and the validate parameters didn't provide the needed information to the Neutron policy to build a correct rule match. Now this field copies the ``ext-gw-mode`` extension validator used in the ``external_gateway_info`` field. The validator type ``list_of_dict_or_nodata`` is currently not recognized by the Neutron policy as an iterable validator [1]; this code must be changed in Neutron in order to accept this new defined validator that is not a dictionary but a list of dictionaries. [1]https://github.com/openstack/neutron/blob/86f94de99aa08b1b4aadca8e90c6e79487171b8e/neutron/policy.py#L142 Closes-Bug: #2098109 Change-Id: I592f7ff0673c15276e9da0054fd38f7ad96f795a ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2098109 Title: Regular user can modify router SNAT flag Status in neutron: Fix Released Status in OpenStack Security Advisory: Incomplete Bug description: The Neutron policy 'update_router:external_gateway_info:enable_snat' is, by default, available for an admin user only. However this command is succeeding with a regular user. How to reproduce it in a devstack deployment (no additional policies configured, using the default ones): $ . /opt/stack/devstack/openrc demo demo $ openstack router create r1 $ openstack router set --external-gateway public r1 $ openstack router set --disable-snat --external-gateway public r1 This last command should fail for "demo" user. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2098109/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
