2232573 – Shared networks can be returned as "shared=False" in the API request

Bug 2232573 - Shared networks can be returned as "shared=False" in the API request [NEEDINFO]

Summary: Shared networks can be returned as "shared=False" in the API request

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	16.2 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	z6
Target Release:	---
Assignee:	Rodolfo Alonso
QA Contact:	Eran Kuris
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-17 12:33 UTC by Slawek Kaplonski
Modified:	2023-08-23 11:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	Cause: since BZ#2209754 was fixed, a change in the RBAC resource query was introduced. Due to an issue in the present version of SQLAlchemy 1.3.2, the SQL query performed doesn't retrieve all the RBAC entries per resource. Consequence: if a network has two RBAC registers, one with action "access_as_shared" and other with "access_as_external", and both are accessible to a specific non-admin user, the "openstack port list --share" query won't show the related network. However this network will be still available for this user due to the "access_as_external" RBAC entry. Workaround (if any): install a newer SQLAlchemy version (1.3.13+). That could be manually installed inside the Neutron API container. However that is strictly not recommended, on the OSP 16.2 release phase, to bump the SQLAlchemy version, that will affect any other API server and there is no time to test it properly. Result: any non-admin user will be able to use a network with both RBAC registers ("access_as_shared", "access_as_external") but it won't appear in the command "openstack port list --share" because this network will have the "shared" flag as False.
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:
Flags:	ralonsoh: needinfo? (gregraka)

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Launchpad	2031656	0	None	None	None	2023-08-17 12:33:34 UTC
Red Hat Issue Tracker	OSP-27556	0	None	None	None	2023-08-17 12:33:44 UTC

Description Slawek Kaplonski 2023-08-17 12:33:00 UTC

This issue is caused by https://github.com/openstack/neutron-lib/commit/829e97024c2b73dd67bfd8a04c65f03be556eec8 which added "group by" clause to the sql query to get e.g. all networks.
If network is "access_as_external" and also "access_as_shared" then if regular user will do API request like:

GET /v2.0/networks?shared=True

It will receive that external AND shared network but it will have "shared=False" in the network parameters.

This is also causing failures in our CI jobs, like: https://rhos-ci-jenkins.lab.eng.tlv2.redhat.com/job/DFG-network-networking-ovn-16.2_director-rhel-virthost-3cont_2comp-ipv4-vxlan-ovn/24//artifact/tempest-results/tempest-results-neutron.1.html - see test neutron_tempest_plugin.api.admin.test_shared_network_extension.SharedNetworksTest.test_filtering_shared_networks

Note You need to log in before you can comment on or make changes to this bug.