neutron

Admin user can do anything without the control of policy.json

Bug #1895933 reported by changzhi on 2020-09-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Confirmed	Medium	Unassigned

Bug Description

I create some neutron policies in the file /etc/neutron/policy.json, plus in this policy file, I don't want to anyone to create address scope and set " "create_address_scope": "!" ".

After that, I execute the command line " openstack address scope create a test " by the admin user and it works fine.

This is not my expected.

After some investigation, I find that in this pr[1], it will return True directly even if the admin user.

This is a bug? Or there are some special design things about the Neutron policy?

Thanks

1. https://review.opendev.org/#/c/175238/11/neutron/policy.py

See original description

Tags:

changzhi (changzhi1990) on 2020-09-17

description:

updated

Hongbin Lu (hongbin.lu) on 2020-09-19

Changed in neutron:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Hongbin Lu (hongbin.lu) wrote on 2020-09-19:

Sounds like a similar issue reported by: https://bugs.launchpad.net/neutron/+bug/1784259 .

Yes, right now, admin users are not bound by the policy check, which is inconsistent with the "!" policy rule.

tags:

added: api

Revision history for this message

changzhi (changzhi1990) wrote on 2020-09-21:

Hi, hongbin, thanks for your reply!

Could you tell me why the admin users are not bound by the policy check?

Thanks!

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.