Reviewed: https://review.opendev.org/c/openstack/neutron/+/962751 Committed: https://opendev.org/openstack/neutron/commit/8ff3d9d52a3d9471b92c4607956f96d59c779563 Submitter: "Zuul (22348)" Branch: master
commit 8ff3d9d52a3d9471b92c4607956f96d59c779563 Author: Slawek Kaplonski <[email protected]> Date: Wed Oct 1 17:03:47 2025 +0200 [S-RBAC] Fix policies for local_ip_association Policies for those API actions should not rely on the "PROJECT_READER" or "PROJECT_MEMBER" rules as this resource don't have project_id attribute and instead belongs to the project of the parent resource (which is local_ip). This patch updates those rules to: base.ADMIN_OR_PARENT_OWNER_MEMBER base.ADMIN_OR_PARENT_OWNER_READER Closes-bug: #2126576 Change-Id: Ie12c4e40edc09b3477db7c8ffa3067856ea42866 Signed-off-by: Slawek Kaplonski <[email protected]> ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/2126576 Title: [S-RBAC] Policies for local_ip_association don't work as expected Status in neutron: Fix Released Bug description: Those policies are written as: neutron_policy.policy_or(base.ADMIN_OR_PROJECT_MEMBER, base.PARENT_OWNER_MEMBER) and neutron_policy.policy_or(base.ADMIN_OR_PROJECT_READER, base.PARENT_OWNER_MEMBER) which is wrong because local_ip_association don't have project_id and in such case "OR_PROJECT_{MEMBER|READER}" fails. It should be only something like: base.ADMIN_OR_PARENT_OWNER_MEMBER base.ADMIN_OR_PARENT_OWNER_READER To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/2126576/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
