Description of problem: When trying to update a ports security groups as a non-admin user, we are denied via Neutron policy: openstack_dashboard.dashboards.project.networks.ports.workflows Failed to update port 4df563ce-5464-4f7d-8aaf-c5496cdaefda: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy This is because we include "port_security_enabled": true in our API request to Neutron, even though this field isn't actually changing: Horizon API call to Neutron:2022-09-15 00:02:46,820 33 DEBUG neutronclient.client REQ: b'curl -i https://openstack.bne-home.net:13696/v2.0/ports/4df563ce-5464-4f7d-8aaf-c5496cdaefda -X PUT -H "X-Auth-Token: {SHA256}52f077cf0115286c45f1e212cbec4ecdfc56ae41704c869aeb35cea41fdbfde1" -H "User-Agent: python-neutronclient" -d \'{"port": {"name": "", "admin_state_up": true, "port_security_enabled": true, "security_groups": [], "binding:vnic_type": "normal"}}\'' Version-Release number of selected component (if applicable): python3-django-horizon-16.2.3-2.20220404205507.3153a5b.el8ost https://access.redhat.com/downloads/content/rhel---8/x86_64/11412/python3-django-horizon/16.2.3-2.20220404205507.3153a5b.el8ost/noarch/fd431d51/package How reproducible: Fairly easily, steps are outlined below Steps to Reproduce: 1. Create a new non-admin user: ❯ openstack user create --project bne-home --password-prompt test ❯ openstack role add --project bne-home --user test member 2. Add user to clouds.yaml bne-home-test: auth: auth_url: https://openstack.bne-home.net:13000 password: "test" project_domain_name: Default project_name: bne-home user_domain_name: Default username: test cacert: ~/.certs/overcloud-cacert.pem identity_api_version: '3' region_name: regionOne volume_api_version: '3' 3. Try to add/remove security group from port using the openstackcli: ❯ openstack server show test-lb-net -c security_groups -c addresses -f yaml addresses: lb-mgmt-net: - 172.24.0.90 vlan4-infra: - 172.20.13.175 security_groups: - name: management-bne ❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml fixed_ips: - ip_address: 172.20.13.175 subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713 port_security_enabled: true security_group_ids: - a3ae6e20-67df-4a72-9d5b-cc21ad87464f ❯ openstack port unset --security-group a3ae6e20-67df-4a72-9d5b-cc21ad87464f 4df563ce-5464-4f7d-8aaf-c5496cdaefda ❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml fixed_ips: - ip_address: 172.20.13.175 subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713 port_security_enabled: true security_group_ids: [] 4. We can see this works. Let's try the same from Horizon. We need to login, select Instances > Interfaces > "Edit Security Groups" Actual results: This will deny the request. The error from Horizon is: 2022-09-14 22:23:13,612 65 INFO openstack_dashboard.dashboards.project.networks.ports.workflows Failed to update port 4df563ce-5464-4f7d-8aaf-c5496cdaefda: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy Expected results: We should be allowed to modify security groups, since that action is allowed by Neutron policy. Additional info: Upstream bug with additional information and logs: https://bugs.launchpad.net/horizon/+bug/1989627 Upstream patch to resolve the issue: https://review.opendev.org/c/openstack/horizon/+/859159
*** This bug has been marked as a duplicate of bug 1670572 ***
Hey Radomir, Just providing some clarification on this BZ about why it was closed as a duplicate. So the fix linked on this bugzilla: https://review.opendev.org/859159 was merged into downstream RHOSP16.2 repos as part of changes linked to the other BZ. Checking the Fixed In Version linked to this BZ: python-django-horizon-16.2.3-2.20220926144724.d3d3d18.el8osttrunk I can see that it does indeed contain the fix: [fedora@fedora-work Downloads]$ tail -n23 0014-Don-t-try-and-update-port-security-if-its-not-changi.patch diff --git a/openstack_dashboard/dashboards/project/networks/ports/workflows.py b/openstack_dashboard/dashboards/project/networks/ports/workflows.py index fe9175d..ca1e04c 100644 --- a/openstack_dashboard/dashboards/project/networks/ports/workflows.py +++ b/openstack_dashboard/dashboards/project/networks/ports/workflows.py @@ -406,10 +406,18 @@ class UpdatePort(workflows.Workflow): name = self.context['name'] or self.context['port_id'] return message % name + def _port_security_unchanged(self, request, port_id, params): + new = params.get('port_security_enabled') + port = api.neutron.port_get(request, port_id) + existing = port.get('port_security_enabled') + return existing == new + def handle(self, request, data): port_id = self.context['port_id'] LOG.debug('params = %s', data) params = self._construct_parameters(data) + if self._port_security_unchanged(request, port_id, params): + params.pop('port_security_enabled') try: api.neutron.port_update(request, port_id, **params) return True So for customers looking for this fix, it will be available in an upcoming z-stream of 16.2. While I can't talk about exact release dates publicly, I can say that it appears this has merged in time to be shipped with z4 which will be the next z-stream release.
Sorry, I should have probably marked it as related, not duplicate, since it's a different version.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: Red Hat OpenStack Platform 16.2.4 (python-django-horizon) security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:8856