2196291 – [Neutron][SRBAC] API policies for get_policy_*_rule are wrong

Bug 2196291 - [Neutron][SRBAC] API policies for get_policy_*_rule are wrong [NEEDINFO]

Summary: [Neutron][SRBAC] API policies for get_policy_*_rule are wrong

Keywords:
Status:	MODIFIED
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-neutron-lib
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	z1
Target Release:	17.1
Assignee:	Slawek Kaplonski
QA Contact:	Candido Campos
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-08 16:00 UTC by Candido Campos
Modified:	2023-08-16 14:54 UTC (History)
CC List:	14 users (show)
Fixed In Version:	openstack-tripleo-heat-templates-14.3.1-1.20230527001002.06e39a0.el9osttrunk python-neutron-lib-2.10.2-1.20230510080958.el9ost python-neutron-tests-tempest-2.1.0-17.1.20230621150830.021ce91.el9osttrunk
Doc Type:	Known Issue
Doc Text:	Currently, custom SRBAC rules do not permit list policy rules to non-admin users. As a consequence, non-admin users can not list or manage these rules. Current workarounds include either disabling SRBAC, or modifying the SRBAC custom rule to permit this action.
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
Flags:	jelynch: needinfo? (skaplons)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	882817	None	MERGED	Update Neutron's QoS Secure RBAC policies	2023-05-24 14:19:31 UTC
OpenStack gerrit	884322	None	MERGED	[S-RBAC] Use ext_parent_owner rule in the Neutron QoS API policies	2023-06-23 15:56:48 UTC
Red Hat Issue Tracker	OSP-24845	None	None	None	2023-05-08 16:01:17 UTC

Description Candido Campos 2023-05-08 16:00:43 UTC

With new defaults policies for get QoS rules are set to ADMIN_OR_PROJECT_READER but that's wrong as rules don't have owner. Those API rules should be based on the parent owner (qos_policy) always.

Those tests are skipped currently in our CI job neutron-tempest-plugin-openvswitch-enforce-scope-new-defaults due to other bug 

 https://bugzilla.redhat.com/show_bug.cgi?id=2193344    
Bug 2193344 - [Neutron][SRBAC]New policies change the behavior for check rule type

Comment 1 Slawek Kaplonski 2023-05-10 08:49:52 UTC

neutron-lib's fix is available in python-neutron-lib-2.10.2-1.20230510080957.6bbae46.el9osttrunk

Comment 23 Lon Hohberger 2023-08-16 10:34:51 UTC

According to our records, this should be resolved by python-neutron-lib-2.10.2-1.20230510080958.el9ost.  This build is available now.

Note You need to log in before you can comment on or make changes to this bug.