OpenStack Dashboard (Horizon)

Horizon network port create panel shows "port security" checkbox that breaks port creation for non-admin users

Bug #1841050 reported by Radomir Dopieralski
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
In Progress
Undecided
Radomir Dopieralski

Bug Description

When creating a network port, we display the "port security" checkbox even when the user has no right to set it. That results in a policy error when the form is submitted.

We should be checking for the user's rights, and not display that checkbox (and not pass the related parameter in the API call) when those are insufficient for setting it.

Radomir Dopieralski (deshipu)
tags: added: neutron
Radomir Dopieralski (deshipu)
Changed in horizon:
assignee: nobody → Radomir Dopieralski (deshipu)
Ivan Kolodyazhny (e0ne)
Changed in horizon:
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/810224

Changed in horizon:
status: Confirmed → In Progress
Revision history for this message
Vishal Manchanda (vishalmanchanda) wrote :

@radomir hi, with which user do you face this issue, I try to create/update Network Port for Non-admin users with reader/service roles but I am always able to create Network Port without any issues. Please find below the steps I performed:

1. Created a User Identity->Create User(with Primary Project as demo and Role with reader field)
2. Login with the above user.
3. Project->Network->Ports-> Create Port

Could You please add some steps to reproduce this issue so I can test your patch?

Revision history for this message
Radomir Dopieralski (deshipu) wrote :

The customer has created a custom Neutron policy, in which he explicitly disabled the network:create_port:port_security_enabled and network:update_port:port_security_enabled rights for an user, while allowing the other rights. The issue does not exist with the default policy files.

Revision history for this message
Sam Morrison (sorrison) wrote :

We have this issue with the default policy, the issue for us is if the network is a shared network owned by an admin and the port within that network is owned by the user then the user isn't allowed to update port security.

Policy is

"update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner",

One way to help mitigate this is to not send neutron the port_security_enabled attribute if this attribute is not being changed by the user

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/819027

Revision history for this message
Sam Morrison (sorrison) wrote :

Somehow I missed that there is already a proposed fix for this. Feel free to ignore my approach if previous one is better, mine didn't handle all scenarios

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/819027
Committed: https://opendev.org/openstack/horizon/commit/d059b0bc40f04befc60657cd6504cc5711934b90
Submitter: "Zuul (22348)"
Branch: master

commit d059b0bc40f04befc60657cd6504cc5711934b90
Author: Sam Morrison <email address hidden>
Date: Tue Nov 23 13:56:23 2021 +1100

    Don't try and update port security if its not changing

    Default policy in neutron doesn't allow port security to change
    if network not owned by the user. To allow users to update other
    attributes of a port don't send port_security_enabled attribute
    to neutron unless it changes.

    If user tries to change port security on a port in a network not
    owned by them it will still error as it does now.

    Partial-Bug: #1841050

    Change-Id: I301336103cabc3f1cab3ee72d7743385ff1a10d6

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/horizon/+/859153

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/horizon/+/859154

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/horizon/+/859155

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/horizon/+/859156

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/horizon/+/859157

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/horizon/+/859158

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/horizon/+/859159

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/859153
Committed: https://opendev.org/openstack/horizon/commit/e79aa87e111a685c006997c0a903123b9ed035de
Submitter: "Zuul (22348)"
Branch: stable/zed

commit e79aa87e111a685c006997c0a903123b9ed035de
Author: Sam Morrison <email address hidden>
Date: Tue Nov 23 13:56:23 2021 +1100

    Don't try and update port security if its not changing

    Default policy in neutron doesn't allow port security to change
    if network not owned by the user. To allow users to update other
    attributes of a port don't send port_security_enabled attribute
    to neutron unless it changes.

    If user tries to change port security on a port in a network not
    owned by them it will still error as it does now.

    Partial-Bug: #1841050

    Change-Id: I301336103cabc3f1cab3ee72d7743385ff1a10d6
    (cherry picked from commit d059b0bc40f04befc60657cd6504cc5711934b90)

tags: added: in-stable-zed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/859154
Committed: https://opendev.org/openstack/horizon/commit/618e44469643ca32222fb5883502582897eeafba
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 618e44469643ca32222fb5883502582897eeafba
Author: Sam Morrison <email address hidden>
Date: Tue Nov 23 13:56:23 2021 +1100

    Don't try and update port security if its not changing

    Default policy in neutron doesn't allow port security to change
    if network not owned by the user. To allow users to update other
    attributes of a port don't send port_security_enabled attribute
    to neutron unless it changes.

    If user tries to change port security on a port in a network not
    owned by them it will still error as it does now.

    Partial-Bug: #1841050

    Change-Id: I301336103cabc3f1cab3ee72d7743385ff1a10d6
    (cherry picked from commit d059b0bc40f04befc60657cd6504cc5711934b90)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/859156
Committed: https://opendev.org/openstack/horizon/commit/f3e917ea8e817c4897742a08ce9fa93770548252
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit f3e917ea8e817c4897742a08ce9fa93770548252
Author: Sam Morrison <email address hidden>
Date: Tue Nov 23 13:56:23 2021 +1100

    Don't try and update port security if its not changing

    Default policy in neutron doesn't allow port security to change
    if network not owned by the user. To allow users to update other
    attributes of a port don't send port_security_enabled attribute
    to neutron unless it changes.

    If user tries to change port security on a port in a network not
    owned by them it will still error as it does now.

    Partial-Bug: #1841050

    Change-Id: I301336103cabc3f1cab3ee72d7743385ff1a10d6
    (cherry picked from commit d059b0bc40f04befc60657cd6504cc5711934b90)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/859158
Committed: https://opendev.org/openstack/horizon/commit/43be97e38ba31e3d55b3c8a80067709f754e4386
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 43be97e38ba31e3d55b3c8a80067709f754e4386
Author: Sam Morrison <email address hidden>
Date: Tue Nov 23 13:56:23 2021 +1100

    Don't try and update port security if its not changing

    Default policy in neutron doesn't allow port security to change
    if network not owned by the user. To allow users to update other
    attributes of a port don't send port_security_enabled attribute
    to neutron unless it changes.

    If user tries to change port security on a port in a network not
    owned by them it will still error as it does now.

    Partial-Bug: #1841050

    Change-Id: I301336103cabc3f1cab3ee72d7743385ff1a10d6
    (cherry picked from commit d059b0bc40f04befc60657cd6504cc5711934b90)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/horizon/+/859155
Committed: https://opendev.org/openstack/horizon/commit/fc0f9c664afbb0b8ba9f30c65ccf9b096bf942d2
Submitter: "Zuul (22348)"
Branch: stable/xena

commit fc0f9c664afbb0b8ba9f30c65ccf9b096bf942d2
Author: Sam Morrison <email address hidden>
Date: Tue Nov 23 13:56:23 2021 +1100

    Don't try and update port security if its not changing

    Default policy in neutron doesn't allow port security to change
    if network not owned by the user. To allow users to update other
    attributes of a port don't send port_security_enabled attribute
    to neutron unless it changes.

    If user tries to change port security on a port in a network not
    owned by them it will still error as it does now.

    Partial-Bug: #1841050

    Change-Id: I301336103cabc3f1cab3ee72d7743385ff1a10d6
    (cherry picked from commit d059b0bc40f04befc60657cd6504cc5711934b90)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (master)

Change abandoned by "Radomir Dopieralski <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/horizon/+/810224
Reason: This has been fixed by https://review.opendev.org/c/openstack/horizon/+/859155

Revision history for this message
Satoshi Yazawa (yacchin1205a) wrote :

The change https://review.opendev.org/c/openstack/horizon/+/859155 already applied seems to solve this problem only when updating the port and this may still occur for port creation, because this change is only for the UpdatePort class and not for the CreatePort class.
(The author sorrison themself mentions it in comment 6.)

We have confirmed that applying the abandoned change https://review.opendev.org/c/openstack/horizon/+/810224 resolves the case of port creation as well, so we believe that this change should be applied too.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.