Proposal for Changing index request project_id filter

Bug #2073871 reported by Dongmin Kim
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
octavia
New
Undecided
Unassigned

Bug Description

From the past to today, it seems that Octavia has a different project_id filter process than other Openstack services (Nova, Cinder, ETC).
According to the documentation at https://docs.openstack.org/octavia/latest/configuration/policy.html, I believe that the get_read-global action in octavia is the same function as the get_all_tenants action in Nova and has the same RBAC rule.
However, the implementation of the List API is different from Nova.

First, Octavia is calling the filter calculation method from a single list api entry point.
(https://github.com/openstack/octavia/blob/master/octavia/api/v2/controllers/load_balancer.py#L86)
Next, if the RBAC_GET_ALL_GLOBAL Rule is allowed, no project_id filter is added for the current context.
(https://github.com/openstack/octavia/blob/master/octavia/api/v2/controllers/base.py#L226-L228)
Alternatively, RBAC_GET_ALL_GLOBAL rules must be disallowed, but check for the presence of RBAC_GET_ALL rules by referencing the project_id of the context.
(https://github.com/openstack/octavia/blob/master/octavia/api/v2/controllers/base.py#L230-L240)

I consider the all_global action of admin to be optionally supported, and I think there should be a functional delimiter of “all_tenants” similar to Nova, what do you think?
I'm not comfortable with contexts with admin roles causing mistakes or only looking at the context's project loadbalancer.

I think it would be fun to do a feature together if you don't mind.

Dongmin Kim (min-rani)
description: updated
summary: - Proposal for Changing index request project filter
+ Proposal for Changing index request project_id filter
description: updated
Dongmin Kim (min-rani)
description: updated
Dongmin Kim (min-rani)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.