** Changed in: neutron Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1918506
Title: Neutron doesn't honor system-scope Status in neutron: Fix Released Bug description: Neutron recently made a bunch of great progress evolving policy check strings to include default role support (admin, member, and reader) and system-scope [0]. Please reference keystone's default role and persona documentation for a primer on authorization patterns we're trying to apply to neutron [1] Despite these improved policies, neutron needs some additional work to understand system scope. I was able to use a system-reader persona (someone with the `reader` role assigned on the system) to list networks in neutron. But, the response didn't contain all networks. It only included public and shared networks. ╭─ubuntu@neutron-devstack ~ ╰─➤ $ openstack --os-cloud system-reader network list +--------------------------------------+--------+----------------------------------------------------------------------------+ | ID | Name | Subnets | +--------------------------------------+--------+----------------------------------------------------------------------------+ | 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 | | 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c | +--------------------------------------+--------+----------------------------------------------------------------------------+ ╭─ubuntu@neutron-devstack ~ ╰─➤ $ openstack --os-cloud devstack-system-admin network list +--------------------------------------+---------+----------------------------------------------------------------------------+ | ID | Name | Subnets | +--------------------------------------+---------+----------------------------------------------------------------------------+ | 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 | | 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c | | 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe | +--------------------------------------+---------+----------------------------------------------------------------------------+ ╭─ubuntu@neutron-devstack ~ ╰─➤ $ openstack --os-cloud devstack-admin network list +--------------------------------------+---------+----------------------------------------------------------------------------+ | ID | Name | Subnets | +--------------------------------------+---------+----------------------------------------------------------------------------+ | 293518cb-b280-4332-a1f0-e038c410f16a | shared | db50dc9d-e23c-473e-88e3-e3f1acfcc6d7 | | 3eae4573-e569-428b-a1b2-cac15a53b0c1 | public | 6e744a36-6a02-45d9-95c0-72aec03e9615, d5dbacc8-5725-4918-b17f-b7fe5ceeca4c | | 61238010-7f8f-4110-9957-8bd48bd18294 | private | 3864f24a-ff45-46dc-9703-e6a5cb9fc7ab, c1009fc6-0037-408f-8775-5993a73200fe | +--------------------------------------+---------+----------------------------------------------------------------------------+ I have the following options set in my neutron.conf: [oslo_policy] enforce_new_defaults = True enforce_scope = True policy_file = /etc/neutron/policy.json Which should configure neutron to enforce scopes and new default policies allowing things like: - system-admins to view all resources - system-admins to create system-specific resources (public networks) - system-readers to view all resources across projects and system-specific resources - project-admins to view only networks available to their project I started tracing through the neutron code and noticed it's building database queries using the request context object [2], which might leading to why system-readers can't view all networks in a deployment. This bug is likely something that affects more that just network resources, but I haven't done an exhaustive investigation, yet. Hoping to get some feedback from folks more familiar with Neutron so that we can plan a path forward for properly consuming system-scope. [0] https://review.opendev.org/q/project:openstack/neutron+status:merged+topic:secure-rbac [1] https://docs.openstack.org/keystone/latest/admin/service-api-protection.html [2] https://opendev.org/openstack/neutron-lib/src/commit/02e070fe099651ad5abea87819c7d3e729885130/neutron_lib/db/utils.py To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1918506/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp