Merge pull request #280 from stackhpc/upstream/2026.1-2026-05-25

mnasiadka · web-flow · commit 84e36e551239 · 2026-05-26T19:38:36.000+02:00
Synchronise 2026.1 with upstream
diff --git a/neutron/conf/policies/floatingip.py b/neutron/conf/policies/floatingip.py
@@ -170,7 +170,7 @@
             deprecated_since=versionutils.deprecated.WALLABY)
     ),
     policy.DocumentedRuleDefault(
-        name='delete_floatingips:tags',
+        name='delete_floatingip:tags',
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Delete the floating IP tags',
         operations=ACTION_DELETE_TAGS,
diff --git a/neutron/extensions/tagging.py b/neutron/extensions/tagging.py
@@ -197,8 +197,10 @@ def index(self, request, **kwargs):
         # GET /v2.0/{obj_resource}/{obj_resource_id}/tags
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs)
-        policy.enforce(ctx, f'get_{rinfo.obj_type}_{TAGS}',
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("get", rinfo.obj_type),
+            rinfo.obj)
         return self.plugin.get_tags(ctx, rinfo.obj_type, rinfo.obj['id'])
 
     def show(self, request, id, **kwargs):
@@ -207,8 +209,10 @@ def show(self, request, id, **kwargs):
         validate_tag(id)
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs)
-        policy.enforce(ctx, f'get_{rinfo.obj_type}:{TAGS}',
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("get", rinfo.obj_type),
+            rinfo.obj)
         return self.plugin.get_tag(ctx, rinfo.obj_type, rinfo.obj['id'], id)
 
     def create(self, request, body, **kwargs):
@@ -217,8 +221,10 @@ def create(self, request, body, **kwargs):
         validate_tags(body)
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs, tags=body[TAGS])
-        policy.enforce(ctx, f'create_{rinfo.obj_type}:{TAGS}',
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("create", rinfo.obj_type),
+            rinfo.obj)
         validate_tags_limit(rinfo.obj_type, body['tags'])
         notify_tag_action(ctx, 'create.start', rinfo.obj_type,
                           rinfo.obj['id'], body['tags'])
@@ -234,8 +240,10 @@ def update(self, request, id, **kwargs):
         validate_tag(id)
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs, tags=[id])
-        policy.enforce(ctx, f'update_{rinfo.obj_type}:{TAGS}',
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("update", rinfo.obj_type),
+            rinfo.obj)
         current_tags = self.plugin.get_tags(
             ctx, rinfo.obj_type, rinfo.obj['id'])['tags']
         new_tags = current_tags + [id]
diff --git a/neutron/services/ovn_l3/plugin.py b/neutron/services/ovn_l3/plugin.py
@@ -36,6 +36,7 @@
 
 from neutron._i18n import _
 from neutron.api.rpc.agentnotifiers import utils as notifier_utils
+from neutron.api import wsgi
 from neutron.common.ovn import constants as ovn_const
 from neutron.common.ovn import extensions
 from neutron.common.ovn import utils
@@ -185,11 +186,15 @@ def _post_fork_initialize(self, resource, event, trigger, payload=None):
         if not self._nb_ovn or not self._sb_ovn:
             raise ovn_l3_exc.MechanismDriverOVNNotReady()
 
-        # Register needed events.
-        self._nb_ovn.idl.notify_handler.watch_events([
-            ovsdb_monitor.LogicalRouterPortEvent(self),
-            ovsdb_monitor.LogicalRouterPortGatewayChassisEvent(self),
-        ])
+        # Register needed events, only for the Neutron API workers.
+        # TODO(ralonsoh): once [1] is released and required in Neutron, it
+        # won't be needed the ``get_method_class`` method.
+        # [1] https://review.opendev.org/c/openstack/neutron-lib/+/988563
+        if utils.get_method_class(trigger) == wsgi.WorkerService:
+            self._nb_ovn.idl.notify_handler.watch_events([
+                ovsdb_monitor.LogicalRouterPortEvent(self),
+                ovsdb_monitor.LogicalRouterPortGatewayChassisEvent(self),
+            ])
 
     def _add_neutron_router_interface(self, context, router_id,
                                       interface_info):
diff --git a/neutron/tests/functional/services/ovn_l3/test_ovsdb_monitor.py b/neutron/tests/functional/services/ovn_l3/test_ovsdb_monitor.py
@@ -18,6 +18,7 @@
 from neutron_lib.plugins import constants as plugin_constants
 from neutron_lib.plugins import directory
 
+from neutron.api import wsgi
 from neutron.common.ovn import utils as ovn_utils
 from neutron.common import utils as n_utils
 from neutron.services.bgp import constants as bgp_constants
@@ -34,7 +35,8 @@ def setUp(self, **kwargs):
         super().setUp(**kwargs)
         self.chassis = self.add_fake_chassis('ovs-host1')
         self.l3_plugin = directory.get_plugin(plugin_constants.L3)
-        self.l3_plugin._post_fork_initialize(mock.ANY, mock.ANY, mock.ANY)
+        self.l3_plugin._post_fork_initialize(
+            mock.ANY, mock.ANY, wsgi.WorkerService)
         self.ext_api = test_extensions.setup_extensions_middleware(
             test_l3.L3TestExtensionManager())
         kwargs = {'arg_list': (external_net.EXTERNAL,),
@@ -201,7 +203,8 @@ def setUp(self, **kwargs):
         super().setUp(**kwargs)
         self.chassis = self.add_fake_chassis('ovs-host1')
         self.l3_plugin = directory.get_plugin(plugin_constants.L3)
-        self.l3_plugin._post_fork_initialize(mock.ANY, mock.ANY, mock.ANY)
+        self.l3_plugin._post_fork_initialize(
+            mock.ANY, mock.ANY, wsgi.WorkerService)
         self.ext_api = test_extensions.setup_extensions_middleware(
             test_l3.L3TestExtensionManager())
         kwargs = {'arg_list': (external_net.EXTERNAL,),
diff --git a/neutron/tests/unit/extensions/test_tagging.py b/neutron/tests/unit/extensions/test_tagging.py
@@ -24,6 +24,7 @@
 from neutron_lib.utils import net as net_utils
 from oslo_utils import uuidutils
 
+from neutron.conf import policies as conf_policies
 from neutron.extensions import tagging
 from neutron.objects import network as network_obj
 from neutron.objects import network_segment_range as network_segment_range_obj
@@ -87,6 +88,22 @@ def test_all_ovo_cls_have_a_reference(self):
         ovo_resources = set(tagging.OVO_CLS.keys())
         self.assertEqual(tc_supported_resources, ovo_resources)
 
+    def test__get_policy_action_all_resources_and_actions(self):
+        registered_rules = {rule.name for rule in conf_policies.list_rules()}
+        actions = ('get', 'create', 'update', 'delete')
+        for collection, member in self.tc.supported_resources.items():
+            for action in actions:
+                expected = f'{action}_{member}:tags'
+                result = self.tc._get_policy_action(action, collection)
+                self.assertEqual(
+                    expected, result,
+                    f'_get_policy_action("{action}", "{collection}") '
+                    f'returned "{result}" instead of "{expected}"')
+                self.assertIn(
+                    result, registered_rules,
+                    f'Policy rule "{result}" is not registered in '
+                    f'neutron.conf.policies')
+
     def _check_resource_info(self, obj, obj_type):
         id_key = self.tc.supported_resources[obj_type] + '_id'
         res = self.tc._get_resource_info(self.ctx, {id_key: obj['id']})
diff --git a/releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml b/releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml
@@ -0,0 +1,18 @@
+---
+security:
+  - |
+    Fixed a security issue where the tagging controller's single-tag write
+    endpoints (``POST /v2.0/{resource}/{id}/tags`` and
+    ``PUT /v2.0/{resource}/{id}/tags/{tag}``) enforced policy action names
+    using the plural collection key (e.g. ``create_networks:tags``) instead
+    of the singular member name (e.g. ``create_network:tags``). Because the
+    plural names did not match any registered policy rule, they fell through
+    to oslo.policy's default rule, allowing project readers to create and
+    update tags on same-project resources.
+    All tag-write endpoints now consistently use the singular policy action
+    names that match the registered rules.
+fixes:
+  - |
+    Fixed the ``delete_floatingips:tags`` policy rule name to use the correct
+    singular form ``delete_floatingip:tags``, consistent with all other
+    tag-related policy rules.
diff --git a/releasenotes/notes/ovnl3routerplugin-register-events-api-workers-4444a36464c3390b.yaml b/releasenotes/notes/ovnl3routerplugin-register-events-api-workers-4444a36464c3390b.yaml
@@ -0,0 +1,9 @@
+---
+fixes:
+  - |
+    The ``OVNL3RouterPlugin`` now registers OVN OVSDB events
+    (``LogicalRouterPortEvent`` and ``RouterHAChassisGroupEvent``) only in
+    Neutron API workers (``WorkerService`` instances). Previously these events
+    were registered by every worker type that called
+    ``_post_fork_initialize``, which could lead to unexpected event processing
+    in maintenance or other non-API workers.
