Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2129483

Summary: Unable to update port as member user from Horizon
Product: Red Hat OpenStack Reporter: Brendan Shephard <bshephar>
Component: python-django-horizonAssignee: Radomir Dopieralski <rdopiera>
Status: CLOSED ERRATA QA Contact: ikanias
Severity: medium Docs Contact:
Priority: medium    
Version: 16.2 (Train)CC: rdopiera
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-django-horizon-16.2.3-2.20220926144724.d3d3d18.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-07 19:27:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1670572    
Bug Blocks:    

Description Brendan Shephard 2022-09-24 00:35:59 UTC 
Description of problem:
When trying to update a ports security groups as a non-admin user, we are denied via Neutron policy:
openstack_dashboard.dashboards.project.networks.ports.workflows Failed to update port 4df563ce-5464-4f7d-8aaf-c5496cdaefda: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy

This is because we include "port_security_enabled": true in our API request to Neutron, even though this field isn't actually changing:

Horizon API call to Neutron:2022-09-15 00:02:46,820 33 DEBUG neutronclient.client REQ: b'curl -i https://openstack.bne-home.net:13696/v2.0/ports/4df563ce-5464-4f7d-8aaf-c5496cdaefda -X PUT -H "X-Auth-Token: {SHA256}52f077cf0115286c45f1e212cbec4ecdfc56ae41704c869aeb35cea41fdbfde1" -H "User-Agent: python-neutronclient" -d \'{"port": {"name": "", "admin_state_up": true, "port_security_enabled": true, "security_groups": [], "binding:vnic_type": "normal"}}\''



Version-Release number of selected component (if applicable):
python3-django-horizon-16.2.3-2.20220404205507.3153a5b.el8ost
https://access.redhat.com/downloads/content/rhel---8/x86_64/11412/python3-django-horizon/16.2.3-2.20220404205507.3153a5b.el8ost/noarch/fd431d51/package

How reproducible:
Fairly easily, steps are outlined below

Steps to Reproduce:
1. Create a new non-admin user:
❯ openstack user create --project bne-home --password-prompt test
❯ openstack role add --project bne-home --user test member

2. Add user to clouds.yaml
  bne-home-test:
    auth:
      auth_url: https://openstack.bne-home.net:13000
      password: "test"
      project_domain_name: Default
      project_name: bne-home
      user_domain_name: Default
      username: test
    cacert: ~/.certs/overcloud-cacert.pem
    identity_api_version: '3'
    region_name: regionOne
    volume_api_version: '3'

3. Try to add/remove security group from port using the openstackcli:
❯ openstack server show test-lb-net -c security_groups -c addresses -f yaml
addresses:
  lb-mgmt-net:
  - 172.24.0.90
  vlan4-infra:
  - 172.20.13.175
security_groups:
- name: management-bne

❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml
fixed_ips:
- ip_address: 172.20.13.175
  subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713
port_security_enabled: true
security_group_ids:
- a3ae6e20-67df-4a72-9d5b-cc21ad87464f

❯ openstack port unset --security-group a3ae6e20-67df-4a72-9d5b-cc21ad87464f 4df563ce-5464-4f7d-8aaf-c5496cdaefda
❯ openstack port show 4df563ce-5464-4f7d-8aaf-c5496cdaefda -c fixed_ips -c port_security_enabled -c security_group_ids -f yaml
fixed_ips:
- ip_address: 172.20.13.175
  subnet_id: 71aad09a-3e7b-4399-97bf-075f066f6713
port_security_enabled: true
security_group_ids: []

4. We can see this works. Let's try the same from Horizon. We need to login, select Instances > Interfaces > "Edit Security Groups"


Actual results:
This will deny the request. The error from Horizon is:
2022-09-14 22:23:13,612 65 INFO openstack_dashboard.dashboards.project.networks.ports.workflows Failed to update port 4df563ce-5464-4f7d-8aaf-c5496cdaefda: ((rule:update_port and rule:update_port:binding:vnic_type) and rule:update_port:port_security_enabled) is disallowed by policy

Expected results:
We should be allowed to modify security groups, since that action is allowed by Neutron policy.

Additional info:
Upstream bug with additional information and logs:
https://bugs.launchpad.net/horizon/+bug/1989627

Upstream patch to resolve the issue:
https://review.opendev.org/c/openstack/horizon/+/859159
Comment 1 Radomir Dopieralski 2022-09-26 11:35:58 UTC 

*** This bug has been marked as a duplicate of bug 1670572 ***
Comment 2 Brendan Shephard 2022-09-28 00:58:08 UTC 
Hey Radomir,

Just providing some clarification on this BZ about why it was closed as a duplicate.


So the fix linked on this bugzilla:
https://review.opendev.org/859159

was merged into downstream RHOSP16.2 repos as part of changes linked to the other BZ. Checking the Fixed In Version linked to this BZ:
python-django-horizon-16.2.3-2.20220926144724.d3d3d18.el8osttrunk

I can see that it does indeed contain the fix:
[fedora@fedora-work Downloads]$ tail -n23 0014-Don-t-try-and-update-port-security-if-its-not-changi.patch
diff --git a/openstack_dashboard/dashboards/project/networks/ports/workflows.py b/openstack_dashboard/dashboards/project/networks/ports/workflows.py
index fe9175d..ca1e04c 100644
--- a/openstack_dashboard/dashboards/project/networks/ports/workflows.py
+++ b/openstack_dashboard/dashboards/project/networks/ports/workflows.py
@@ -406,10 +406,18 @@ class UpdatePort(workflows.Workflow):
         name = self.context['name'] or self.context['port_id']
         return message % name

+    def _port_security_unchanged(self, request, port_id, params):
+        new = params.get('port_security_enabled')
+        port = api.neutron.port_get(request, port_id)
+        existing = port.get('port_security_enabled')
+        return existing == new
+
     def handle(self, request, data):
         port_id = self.context['port_id']
         LOG.debug('params = %s', data)
         params = self._construct_parameters(data)
+        if self._port_security_unchanged(request, port_id, params):
+            params.pop('port_security_enabled')
         try:
             api.neutron.port_update(request, port_id, **params)
             return True


So for customers looking for this fix, it will be available in an upcoming z-stream of 16.2. While I can't talk about exact release dates publicly, I can say that it appears this has merged in time to be shipped with z4 which will be the next z-stream release.
Comment 3 Radomir Dopieralski 2022-09-28 14:42:28 UTC 
Sorry, I should have probably marked it as related, not duplicate, since it's a different version.
Comment 18 errata-xmlrpc 2022-12-07 19:27:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: Red Hat OpenStack Platform 16.2.4 (python-django-horizon) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:8856