Reviewed: https://review.opendev.org/c/openstack/neutron/+/962919 Committed: https://opendev.org/openstack/neutron/commit/0edbfe26d01ad0dfe1a3875527ac1f8c2f47f56f Submitter: "Zuul (22348)" Branch: master
commit 0edbfe26d01ad0dfe1a3875527ac1f8c2f47f56f Author: Slawek Kaplonski <[email protected]> Date: Fri Oct 3 12:51:59 2025 +0200 [S-RBAC] Fix policies for l3_conntrack_helpers Policies for those API actions should not rely on the "PROJECT_READER" or "PROJECT_MEMBER" rules as this resource don't have project_id attribute and instead belongs to the project of the parent resource (which is l3_router). This patch updates those rules to: base.ADMIN_OR_PARENT_OWNER_MEMBER base.ADMIN_OR_PARENT_OWNER_READER Closes-bug: #2126759 Change-Id: Id67346262a3dbe4717273073b5f8c6a385d2180d Signed-off-by: Slawek Kaplonski <[email protected]> ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2126759 Title: [S-RBAC] Policies for l3_conntrack_helpers don't work as expected Status in neutron: Fix Released Bug description: Those policies are written as: neutron_policy.policy_or(base.ADMIN_OR_PROJECT_MEMBER, base.PARENT_OWNER_MEMBER) and neutron_policy.policy_or(base.ADMIN_OR_PROJECT_READER, base.PARENT_OWNER_MEMBER) which is wrong because l3_conntrack_helpers don't have project_id and in such case "OR_PROJECT_{MEMBER|READER}" fails. It should be only something like: base.ADMIN_OR_PARENT_OWNER_MEMBER base.ADMIN_OR_PARENT_OWNER_READER To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2126759/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
