Reviewed: https://review.opendev.org/c/openstack/neutron/+/944022 Committed: https://opendev.org/openstack/neutron/commit/dfea81a4bf6aa62f56d101f8a0cb168a02338d5c Submitter: "Zuul (22348)" Branch: master
commit dfea81a4bf6aa62f56d101f8a0cb168a02338d5c Author: Slawek Kaplonski <[email protected]> Date: Tue Mar 11 11:48:57 2025 +0100 [S-RBAC] Fix policies for the SG rules API This patch fixes default policies for the Security Group Rules API so that user of the project who isn't owner of the SG but only sees it as shared one, can't now create or delete rules in such SG. Additionally this patch lowers numer of retries when parent object's id is looked up in the DB by the OwnerCheck policy rule to just one. If it will fail twice with NotFound exception, then there is no need to repeat it more times. Closes-bug: #2101150 Change-Id: I23722d0ffabce0034548a5fa919980d02bacd91a ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2101150 Title: User who is not owner of the SG can create/delete rules in the shared SG Status in neutron: Fix Released Bug description: If the SG is shared with other project using RBAC mechanism in Neutron, users from the target project can see and use such SG but can't modify it by default as by default modifying SGs is only allowed for admin and owner of the SG: https://github.com/openstack/neutron/blob/5c22bcca010e5bef285362bbca465b548c7ecd14/neutron/conf/policies/security_group.py#L153 But such user who just see SG as shared with them can still create or delete SG rules in such SG because for the SG rules there are other API policies and those don't check owner of the SG: https://github.com/openstack/neutron/blob/5c22bcca010e5bef285362bbca465b548c7ecd14/neutron/conf/policies/security_group.py#L214 Creating SG rule is like modifcation of the SG really thus IMO it should by default mimic API policies for the SGs and creation/deletion of the SG rules in such case should be allowed only for admin and owner of the SG. To do that we should change our default API policies for "create_security_group_rule" and "delete_security_group_rule" to "rule:admin_or_sg_owner" To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2101150/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
