Reviewed: https://review.opendev.org/c/openstack/neutron-lib/+/954054 Committed: https://opendev.org/openstack/neutron-lib/commit/b510f7feb8678081f0c51d19d9c484b7f19964e1 Submitter: "Zuul (22348)" Branch: master
commit b510f7feb8678081f0c51d19d9c484b7f19964e1 Author: Slawek Kaplonski <[email protected]> Date: Thu Jul 3 16:40:44 2025 +0200 Add "has_global_access" attribute to the context object In case when API policies with custom roles has to be defined by the operator and such custom role should have granted access to the resources from all projects, like for example some kind of "admin_reader" or "auditor" role, it was not possible to achieve so far. The problem was that for all non-admin and not service users, SQL queries were scoped to the own project only always so such "auditor" couldn't even get data from different projects from the database. This patch introduces new API policy rule called `context_with_global_access` and attribute `has_global_access` to the neutron_lib.context.ContextBase class. By default `context_with_global_access` rule is granted to nobody but it can be defined in the neutron policy file like e.g.: "context_with_global_access": "role:auditor" and then `neutron_context` object for API requests made by someone with such role granted will be able to fetch all data from the database. This doesn't mean that anyone with such role will be able to do or get everything through the API because there is still policy engine with defined API policies which prevents that. So to e.g. grant such auditor user permission to list all networks in the cluster, additional rule would be needed in policy file and it can looks for example like: "get_network": "role:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc or role:auditor" Closes-Bug: #2115184 Change-Id: I90149b0212dafa8f469dc329cc4b45042cded38c Signed-off-by: Slawek Kaplonski <[email protected]> ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2115184 Title: [S-RBAC] Custom role can't get resources which belongs to different projects Status in neutron: Fix Released Bug description: It was reported on the ML: https://lists.openstack.org/archives/list/openstack- [email protected]/thread/4TRWELLL6FH455JNWP52LV6OLMXSFQ34/ Basically even if operator specifies custom rule like e.g.: "get_network": "(rule:admin_only) or (role:reader and project_id:%(project_id)s) or rule:shared or rule:external or rule:context_is_advsvc or role:admin_network_read" user with "admin_network_read" role can't get all networks from the cloud. It happens like that because it is filtered out on the DB access layer, in https://github.com/openstack/neutron- lib/blob/fd011c955dfae1072555c69b6ba742b85f041736/neutron_lib/db/model_query.py#L157 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2115184/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
