Bug 2210030 - [NEUTRON][SRBAC]Custom policies don't work properly with shared security groups
Summary: [NEUTRON][SRBAC]Custom policies don't work properly with shared security groups
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 17.1 (Wallaby)
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Slawek Kaplonski
QA Contact: Candido Campos
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-05-25 14:07 UTC by Candido Campos
Modified: 2023-08-21 07:22 UTC (History)
13 users (show)

Fixed In Version: python-neutron-lib-2.10.2-1.20230510080958.el9ost openstack-neutron-18.6.1-1.20230518200969.el9ost
Doc Type: Known Issue
Doc Text:
There is currently a known issue where custom SRBAC rules do not permit list shared security groups to non-administrative users that are not rule owners. This causes shared security groups and rules to not be managed properly by non-administrative users that are not rule owners. Workaround: Disable custom SRBAC rules or modify the custom rules to permit any user to manage the rules.
Clone Of:
Environment:
Last Closed: 2023-08-16 01:15:24 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
OpenStack gerrit 811242 0 None MERGED Add shared field to SG API response and filter 2023-06-05 16:40:48 UTC
OpenStack gerrit 812617 0 None MERGED Add API extension "security-groups-shared-filtering" 2023-06-05 16:40:47 UTC
Red Hat Issue Tracker OSP-25387 0 None None None 2023-05-25 14:10:58 UTC
Red Hat Product Errata RHEA-2023:4577 0 None None None 2023-08-16 01:15:46 UTC

Description Candido Campos 2023-05-25 14:07:50 UTC 
Description of problem:


neutron_tempest_plugin.api.test_security_groups.RbacSharedSecurityGroupTest.test_regular_client_shares_to_another_regular_client[id-2a81795c-2a35-11e9-9d86-acde48001122]                                                                                                                                                    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------                                                                                                                                                    
                                                                                                                                                                                                                                                                                                                             
Captured traceback:                                                                                                                                                                                                                                                                                                          
~~~~~~~~~~~~~~~~~~~                                                                                                                                                                                                                                                                                                          
    Traceback (most recent call last):                                                                                                                                                                                                                                                                                       
      File "/usr/lib/python3.9/site-packages/neutron_tempest_plugin/api/test_security_groups.py", line 529, in test_regular_client_shares_to_another_regular_client                                                                                                                                                          
        self.client.show_security_group(sg['id'])
      File "/usr/lib/python3.9/site-packages/neutron_tempest_plugin/services/network/json/network_client.py", line 133, in _show                                                                                                                                                                                             
        resp, body = self.get(uri)                                                                                                                                                                                                                                                                                           
      File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 314, in get
        return self.request('GET', url, extra_headers, headers)                                                                                                                                                                                                                                                              
      File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 720, in request
        self._error_checker(resp, resp_body)
      File "/usr/lib/python3.9/site-packages/tempest/lib/common/rest_client.py", line 826, in _error_checker
        raise exceptions.NotFound(resp_body, resp=resp)
    tempest.lib.exceptions.NotFound: Object not found
    Details: {'type': 'HTTPNotFound', 'message': 'The resource could not be found.', 'detail': ''}


Captured pythonlogging:


relate to:

https://bugs.launchpad.net/neutron/+bug/1942615

https://review.opendev.org/c/openstack/neutron/+/811242
Comment 12 James E. LaBarre 2023-07-31 14:38:08 UTC 
We have other failures currently, the stacktrace looks exactly the same as this, but for other testcases in Tempest

Can view the latest test run that sees these errors:
http://rhos-ci-logs.lab.eng.tlv2.redhat.com/logs/rcj/DFG-all-unified-17.1_d-rhel-vhost-3cont_2comp-ipv4-vxlan-lvm-srbac/32/test_results/tempest-results-neutron.1.html

(will attach the HTML here so that the log doesn't go away)
Comment 20 Jenny-Anne Lynch 2023-08-15 17:19:33 UTC 
Hi Slawek and Candido,

Please check the doc texts in BZ#2196291 BZ#2210030 as per my comment in https://bugzilla.redhat.com/show_bug.cgi?id=2196291

Thanks.
Comment 23 errata-xmlrpc 2023-08-16 01:15:24 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Release of components for Red Hat OpenStack Platform 17.1 (Wallaby)), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:4577
Note You need to log in before you can comment on or make changes to this bug.