SG rules from SG shared using RBAC aren't visible
Bug #1942617 reported by
Slawek Kaplonski
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
neutron |
Confirmed
|
Low
|
Unassigned |
Bug Description
RBAC mechanism allows to share SG with different tenant. But when user from such target tenant will want to show SG, rules which belongs to that SG will not be shown as they aren't shared.
Such rules are filtered out by our policy mechanism in https:/
To post a comment you must log in.
I investigated that issue more and it seems that:
1. rules are visible fine when doing
curl -g -i -X GET "http:// 10.120. 0.30:9696/ v2.0/security- groups/ 241128fb- e39c-47f3- 8e81-b018f212b1 c2
2. rules can not be listed when doing
curl -g -i -X GET "http:// 10.120. 0.30:9696/ v2.0/security- group-rules? security_ group_id= 241128fb- e39c-47f3- 8e81-b018f212b1 c2
The difference between those 2 things is that in case of 1) Neutron checks if tenant who made request have access to the SG object (and that is true as SG is shared through RBAC). In case of 2) neutron is checking if tenant has access to each of the rules and it filters them out as rules aren't really shared with the tenant. /github. com/openstack/ neutron/ blob/master/ neutron/ api/v2/ base.py# L313
It is filtered out in https:/
Solution for that isn't easy for sure. The main problem is that policy enforcer, which is filtering out rules from list isn't really aware about RBAC mechanism which is implemented one level above, in the Neutron DB really. So I think we would need to have some extra db queries to check for each SG rule if its SG is actually shared with the project who made request or not. That may have impact on the API performance and the question is: do we want to fix it that way, or maybe document that limitation while listing SG rules would be enough?