SG rules from SG shared using RBAC aren't visible
Bug #1942617 reported by
Slawek Kaplonski
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| neutron |
Confirmed
|
Low
|
Unassigned | ||
Bug Description
RBAC mechanism allows to share SG with different tenant. But when user from such target tenant will want to show SG, rules which belongs to that SG will not be shown as they aren't shared.
Such rules are filtered out by our policy mechanism in https:/
Revision history for this message
| Slawek Kaplonski (slaweq) wrote | #1 |
| Changed in neutron: | |
| importance: | Medium → Low |
To post a comment you must log in.
I investigated that issue more and it seems that:
1. rules are visible fine when doing
curl -g -i -X GET "http://
2. rules can not be listed when doing
curl -g -i -X GET "http://
The difference between those 2 things is that in case of 1) Neutron checks if tenant who made request have access to the SG object (and that is true as SG is shared through RBAC). In case of 2) neutron is checking if tenant has access to each of the rules and it filters them out as rules aren't really shared with the tenant.
It is filtered out in https:/
Solution for that isn't easy for sure. The main problem is that policy enforcer, which is filtering out rules from list isn't really aware about RBAC mechanism which is implemented one level above, in the Neutron DB really. So I think we would need to have some extra db queries to check for each SG rule if its SG is actually shared with the project who made request or not. That may have impact on the API performance and the question is: do we want to fix it that way, or maybe document that limitation while listing SG rules would be enough?