** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1918506

Title:
  Neutron doesn't honor system-scope

Status in neutron:
  Fix Released

Bug description:
  Neutron recently made a bunch of great progress evolving policy check
  strings to include default role support (admin, member, and reader)
  and system-scope [0]. Please reference keystone's default role and
  persona documentation for a primer on authorization patterns we're
  trying to apply to neutron [1]

  Despite these improved policies, neutron needs some additional work to
  understand system scope.

  I was able to use a system-reader persona (someone with the `reader`
  role assigned on the system) to list networks in neutron. But, the
  response didn't contain all networks. It only included public and
  shared networks.

  ╭─ubuntu@neutron-devstack ~
  ╰─➤  $ openstack --os-cloud system-reader network list
  
+--------------------------------------+--------+----------------------------------------------------------------------------+
  | ID                                   | Name   | Subnets                     
                                               |
  
+--------------------------------------+--------+----------------------------------------------------------------------------+
  | 293518cb-b280-4332-a1f0-e038c410f16a | shared | 
db50dc9d-e23c-473e-88e3-e3f1acfcc6d7                                       |
  | 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 
6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
  
+--------------------------------------+--------+----------------------------------------------------------------------------+
  ╭─ubuntu@neutron-devstack ~
  ╰─➤  $ openstack --os-cloud devstack-system-admin network list
  
+--------------------------------------+---------+----------------------------------------------------------------------------+
  | ID                                   | Name    | Subnets                    
                                                |
  
+--------------------------------------+---------+----------------------------------------------------------------------------+
  | 293518cb-b280-4332-a1f0-e038c410f16a | shared  | 
db50dc9d-e23c-473e-88e3-e3f1acfcc6d7                                       |
  | 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public  | 
6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
  | 61238010-7f8f-4110-9957-8bd48bd18294 | private | 
3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
  
+--------------------------------------+---------+----------------------------------------------------------------------------+
  ╭─ubuntu@neutron-devstack ~
  ╰─➤  $ openstack --os-cloud devstack-admin network list
  
+--------------------------------------+---------+----------------------------------------------------------------------------+
  | ID                                   | Name    | Subnets                    
                                                |
  
+--------------------------------------+---------+----------------------------------------------------------------------------+
  | 293518cb-b280-4332-a1f0-e038c410f16a | shared  | 
db50dc9d-e23c-473e-88e3-e3f1acfcc6d7                                       |
  | 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public  | 
6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c |
  | 61238010-7f8f-4110-9957-8bd48bd18294 | private | 
3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe |
  
+--------------------------------------+---------+----------------------------------------------------------------------------+

  I have the following options set in my neutron.conf:

  [oslo_policy]
  enforce_new_defaults = True
  enforce_scope = True
  policy_file = /etc/neutron/policy.json

  Which should configure neutron to enforce scopes and new default
  policies allowing things like:

  - system-admins to view all resources
  - system-admins to create system-specific resources (public networks)
  - system-readers to view all resources across projects and system-specific 
resources
  - project-admins to view only networks available to their project

  I started tracing through the neutron code and noticed it's building
  database queries using the request context object [2], which might
  leading to why system-readers can't view all networks in a deployment.

  This bug is likely something that affects more that just network
  resources, but I haven't done an exhaustive investigation, yet.

  Hoping to get some feedback from folks more familiar with Neutron so
  that we can plan a path forward for properly consuming system-scope.

  [0] 
https://review.opendev.org/q/project:openstack/neutron+status:merged+topic:secure-rbac
  [1] 
https://docs.openstack.org/keystone/latest/admin/service-api-protection.html
  [2] 
https://opendev.org/openstack/neutron-lib/src/commit/02e070fe099651ad5abea87819c7d3e729885130/neutron_lib/db/utils.py

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1918506/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to