Skip to content

Commit 9177e90

Browse files
slawqoralonsoh
authored andcommitted
[S-RBAC] Fix new policies for get QoS rules APIs
During transition to the new secure RBAC API policies, we made mistake with policies for QoS rules by defining them to be available for ADMIN_OR_PROJECT_READER. This can't be like that as QoS rules don't have tenant_id attribute and belongs always to the owner of the QoS policy. To fix that, this patch introduces new rules: ADMIN_OR_PARENT_OWNER_READER ADMIN_OR_PARENT_OWNER_MEMBER and uses those in the QoS rules APIs. Closes-Bug: #2018727 Change-Id: I522aeab5094b3f4854303d5e18f3abf6130fb33c (cherry picked from commit be0dc09) (cherry picked from commit 572cc2d)
1 parent baee022 commit 9177e90

File tree

3 files changed

+356
-267
lines changed

3 files changed

+356
-267
lines changed

neutron/conf/policies/base.py

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,20 @@ def policy_or(*args):
6262
RULE_PARENT_OWNER = 'rule:ext_parent_owner'
6363
RULE_SG_OWNER = 'rule:sg_owner'
6464

65+
# In some cases we need to check owner of the parent resource, it's like that
66+
# for example for QoS rules (check owner of QoS policy rule belongs to) or
67+
# Floating IP port forwarding (check owner of FIP which PF is using). It's like
68+
# that becasue those resources (QOS rules, FIP PFs) don't have project_id
69+
# attribute at all and they belongs to the same project as parent resource (QoS
70+
# policy, FIP).
71+
PARENT_OWNER_MEMBER = 'role:member and ' + RULE_PARENT_OWNER
72+
PARENT_OWNER_READER = 'role:reader and ' + RULE_PARENT_OWNER
73+
ADMIN_OR_PARENT_OWNER_MEMBER = (
74+
'(' + ADMIN + ') or (' + PARENT_OWNER_MEMBER + ')')
75+
ADMIN_OR_PARENT_OWNER_READER = (
76+
'(' + ADMIN + ') or (' + PARENT_OWNER_READER + ')')
77+
78+
6579
rules = [
6680
policy.RuleDefault(
6781
'context_is_admin',

neutron/conf/policies/qos.py

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -125,7 +125,7 @@
125125

126126
policy.DocumentedRuleDefault(
127127
name='get_policy_bandwidth_limit_rule',
128-
check_str=base.ADMIN_OR_PROJECT_READER,
128+
check_str=base.ADMIN_OR_PARENT_OWNER_READER,
129129
scope_types=['project'],
130130
description='Get a QoS bandwidth limit rule',
131131
operations=[
@@ -201,7 +201,7 @@
201201

202202
policy.DocumentedRuleDefault(
203203
name='get_policy_packet_rate_limit_rule',
204-
check_str=base.ADMIN_OR_PROJECT_READER,
204+
check_str=base.ADMIN_OR_PARENT_OWNER_READER,
205205
scope_types=['project'],
206206
description='Get a QoS packet rate limit rule',
207207
operations=[
@@ -257,7 +257,7 @@
257257

258258
policy.DocumentedRuleDefault(
259259
name='get_policy_dscp_marking_rule',
260-
check_str=base.ADMIN_OR_PROJECT_READER,
260+
check_str=base.ADMIN_OR_PARENT_OWNER_READER,
261261
scope_types=['project'],
262262
description='Get a QoS DSCP marking rule',
263263
operations=[
@@ -333,7 +333,7 @@
333333

334334
policy.DocumentedRuleDefault(
335335
name='get_policy_minimum_bandwidth_rule',
336-
check_str=base.ADMIN_OR_PROJECT_READER,
336+
check_str=base.ADMIN_OR_PARENT_OWNER_READER,
337337
scope_types=['project'],
338338
description='Get a QoS minimum bandwidth rule',
339339
operations=[
@@ -408,7 +408,7 @@
408408
),
409409
policy.DocumentedRuleDefault(
410410
name='get_policy_minimum_packet_rate_rule',
411-
check_str=base.ADMIN_OR_PROJECT_READER,
411+
check_str=base.ADMIN_OR_PARENT_OWNER_READER,
412412
scope_types=['project'],
413413
description='Get a QoS minimum packet rate rule',
414414
operations=[
@@ -463,7 +463,7 @@
463463
),
464464
policy.DocumentedRuleDefault(
465465
name='get_alias_bandwidth_limit_rule',
466-
check_str=base.ADMIN_OR_PROJECT_READER,
466+
check_str=base.ADMIN_OR_PARENT_OWNER_READER,
467467
scope_types=['project'],
468468
description='Get a QoS bandwidth limit rule through alias',
469469
operations=[
@@ -514,7 +514,7 @@
514514
),
515515
policy.DocumentedRuleDefault(
516516
name='get_alias_dscp_marking_rule',
517-
check_str=base.ADMIN_OR_PROJECT_READER,
517+
check_str=base.ADMIN_OR_PARENT_OWNER_READER,
518518
scope_types=['project'],
519519
description='Get a QoS DSCP marking rule through alias',
520520
operations=[
@@ -565,7 +565,7 @@
565565
),
566566
policy.DocumentedRuleDefault(
567567
name='get_alias_minimum_bandwidth_rule',
568-
check_str=base.ADMIN_OR_PROJECT_READER,
568+
check_str=base.ADMIN_OR_PARENT_OWNER_READER,
569569
scope_types=['project'],
570570
description='Get a QoS minimum bandwidth rule through alias',
571571
operations=[

0 commit comments

Comments
 (0)