2196291 – [Neutron][SRBAC] API policies for get_policy_*_rule are wrong

Bug 2196291 - [Neutron][SRBAC] API policies for get_policy_*_rule are wrong

Summary: [Neutron][SRBAC] API policies for get_policy_*_rule are wrong

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-neutron-lib
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z2
Target Release:	17.1
Assignee:	Slawek Kaplonski
QA Contact:	Candido Campos
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-08 16:00 UTC by Candido Campos
Modified:	2024-01-16 17:44 UTC (History)
CC List:	15 users (show)
Fixed In Version:	python-neutron-lib-2.10.2-1.20230510080958.el9ost openstack-tripleo-heat-templates-14.3.1-1.20230519151024.el9ost python-neutron-tests-tempest-2.1.0-17.1.20230906160844.021ce91.el9ost
Doc Type:	Bug Fix
Doc Text:	This update fixes a bug that prevented non-admin users from listing or managing policy rules. Now you can allow non-admin users to list or manage policy rules.
Clone Of:
Environment:
Last Closed:	2024-01-16 14:32:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	882817	None	MERGED	Update Neutron's QoS Secure RBAC policies	2023-05-24 14:19:31 UTC
OpenStack gerrit	884322	None	MERGED	[S-RBAC] Use ext_parent_owner rule in the Neutron QoS API policies	2023-06-23 15:56:48 UTC
Red Hat Issue Tracker	OSP-24845	None	None	None	2023-05-08 16:01:17 UTC
Red Hat Product Errata	RHBA-2024:0209	None	None	None	2024-01-16 14:32:17 UTC

Description Candido Campos 2023-05-08 16:00:43 UTC

With new defaults policies for get QoS rules are set to ADMIN_OR_PROJECT_READER but that's wrong as rules don't have owner. Those API rules should be based on the parent owner (qos_policy) always.

Those tests are skipped currently in our CI job neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults due to other bug 

 https://bugzilla.redhat.com/show_bug.cgi?id=2193344    
Bug 2193344 - [Neutron][SRBAC]New policies change the behavior for check rule type

Comment 1 Slawek Kaplonski 2023-05-10 08:49:52 UTC

neutron-lib's fix is available in python-neutron-lib-2.10.2-1.20230510080957.6bbae46.el9osttrunk

Comment 23 Lon Hohberger 2023-08-16 10:34:51 UTC

According to our records, this should be resolved by python-neutron-lib-2.10.2-1.20230510080958.el9ost.  This build is available now.

Comment 53 errata-xmlrpc 2024-01-16 14:32:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 17.1.2 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2024:0209

Note You need to log in before you can comment on or make changes to this bug.