Merge pull request #281 from stackhpc/upstream/2025.1-2026-05-25

mnasiadka · web-flow · commit c3260bfaa3ab · 2026-05-29T13:16:28.000+02:00
Synchronise 2025.1 with upstream
diff --git a/neutron/conf/policies/floatingip.py b/neutron/conf/policies/floatingip.py
@@ -170,7 +170,7 @@
             deprecated_since=versionutils.deprecated.WALLABY)
     ),
     policy.DocumentedRuleDefault(
-        name='delete_floatingips:tags',
+        name='delete_floatingip:tags',
         check_str=base.ADMIN_OR_PROJECT_MEMBER,
         description='Delete the floating IP tags',
         operations=ACTION_DELETE_TAGS,
diff --git a/neutron/extensions/tagging.py b/neutron/extensions/tagging.py
@@ -197,8 +197,10 @@ def index(self, request, **kwargs):
         # GET /v2.0/{obj_resource}/{obj_resource_id}/tags
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs)
-        policy.enforce(ctx, 'get_{}_{}'.format(rinfo.obj_type, TAGS),
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("get", rinfo.obj_type),
+            rinfo.obj)
         return self.plugin.get_tags(ctx, rinfo.obj_type, rinfo.obj['id'])
 
     def show(self, request, id, **kwargs):
@@ -207,8 +209,10 @@ def show(self, request, id, **kwargs):
         validate_tag(id)
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs)
-        policy.enforce(ctx, 'get_{}:{}'.format(rinfo.obj_type, TAGS),
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("get", rinfo.obj_type),
+            rinfo.obj)
         return self.plugin.get_tag(ctx, rinfo.obj_type, rinfo.obj['id'], id)
 
     def create(self, request, body, **kwargs):
@@ -217,8 +221,10 @@ def create(self, request, body, **kwargs):
         validate_tags(body)
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs, tags=body[TAGS])
-        policy.enforce(ctx, 'create_{}:{}'.format(rinfo.obj_type, TAGS),
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("create", rinfo.obj_type),
+            rinfo.obj)
         validate_tags_limit(rinfo.obj_type, body['tags'])
         notify_tag_action(ctx, 'create.start', rinfo.obj_type,
                           rinfo.obj['id'], body['tags'])
@@ -234,8 +240,10 @@ def update(self, request, id, **kwargs):
         validate_tag(id)
         ctx = request.context
         rinfo = self._get_resource_info(ctx, kwargs, tags=[id])
-        policy.enforce(ctx, 'update_{}:{}'.format(rinfo.obj_type, TAGS),
-                       rinfo.obj)
+        policy.enforce(
+            ctx,
+            self._get_policy_action("update", rinfo.obj_type),
+            rinfo.obj)
         current_tags = self.plugin.get_tags(
             ctx, rinfo.obj_type, rinfo.obj['id'])['tags']
         new_tags = current_tags + [id]
diff --git a/neutron/tests/unit/extensions/test_tagging.py b/neutron/tests/unit/extensions/test_tagging.py
@@ -24,6 +24,7 @@
 from neutron_lib.utils import net as net_utils
 from oslo_utils import uuidutils
 
+from neutron.conf import policies as conf_policies
 from neutron.extensions import tagging
 from neutron.objects import network as network_obj
 from neutron.objects import network_segment_range as network_segment_range_obj
@@ -87,6 +88,22 @@ def test_all_ovo_cls_have_a_reference(self):
         ovo_resources = set(tagging.OVO_CLS.keys())
         self.assertEqual(tc_supported_resources, ovo_resources)
 
+    def test__get_policy_action_all_resources_and_actions(self):
+        registered_rules = {rule.name for rule in conf_policies.list_rules()}
+        actions = ('get', 'create', 'update', 'delete')
+        for collection, member in self.tc.supported_resources.items():
+            for action in actions:
+                expected = f'{action}_{member}:tags'
+                result = self.tc._get_policy_action(action, collection)
+                self.assertEqual(
+                    expected, result,
+                    f'_get_policy_action("{action}", "{collection}") '
+                    f'returned "{result}" instead of "{expected}"')
+                self.assertIn(
+                    result, registered_rules,
+                    f'Policy rule "{result}" is not registered in '
+                    f'neutron.conf.policies')
+
     def _check_resource_info(self, obj, obj_type):
         id_key = self.tc.supported_resources[obj_type] + '_id'
         res = self.tc._get_resource_info(self.ctx, {id_key: obj['id']})
diff --git a/releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml b/releasenotes/notes/fix-tagging-policy-action-names-a59e17308f214600.yaml
@@ -0,0 +1,18 @@
+---
+security:
+  - |
+    Fixed a security issue where the tagging controller's single-tag write
+    endpoints (``POST /v2.0/{resource}/{id}/tags`` and
+    ``PUT /v2.0/{resource}/{id}/tags/{tag}``) enforced policy action names
+    using the plural collection key (e.g. ``create_networks:tags``) instead
+    of the singular member name (e.g. ``create_network:tags``). Because the
+    plural names did not match any registered policy rule, they fell through
+    to oslo.policy's default rule, allowing project readers to create and
+    update tags on same-project resources.
+    All tag-write endpoints now consistently use the singular policy action
+    names that match the registered rules.
+fixes:
+  - |
+    Fixed the ``delete_floatingips:tags`` policy rule name to use the correct
+    singular form ``delete_floatingip:tags``, consistent with all other
+    tag-related policy rules.
diff --git a/zuul.d/grenade.yaml b/zuul.d/grenade.yaml
@@ -47,6 +47,7 @@
           Q_ML2_TENANT_NETWORK_TYPE: vxlan
           Q_ML2_PLUGIN_MECHANISM_DRIVERS: openvswitch
           NEUTRON_DEPLOY_MOD_WSGI: True
+          TEMPEST_VENV_UPPER_CONSTRAINTS: '/opt/stack/old/requirements/upper-constraints.txt'
       devstack_services:
         etcd: false
         br-ex-tcpdump: true
@@ -128,6 +129,7 @@
           Q_ML2_TENANT_NETWORK_TYPE: vxlan
           Q_ML2_PLUGIN_MECHANISM_DRIVERS: openvswitch
           NEUTRON_DEPLOY_MOD_WSGI: True
+          TEMPEST_VENV_UPPER_CONSTRAINTS: '/opt/stack/old/requirements/upper-constraints.txt'
       devstack_services:
         etcd: false
         br-ex-tcpdump: true
@@ -305,6 +307,7 @@
           OVN_DBS_LOG_LEVEL: dbg
           OVN_IGMP_SNOOPING_ENABLE: True
           NEUTRON_DEPLOY_MOD_WSGI: True
+          TEMPEST_VENV_UPPER_CONSTRAINTS: '/opt/stack/old/requirements/upper-constraints.txt'
       devstack_plugins:
         neutron: https://opendev.org/openstack/neutron
         neutron-tempest-plugin: https://opendev.org/openstack/neutron-tempest-plugin
@@ -413,6 +416,7 @@
       grenade_devstack_localrc:
         shared:
           NEUTRON_DEPLOY_MOD_WSGI: False
+          TEMPEST_VENV_UPPER_CONSTRAINTS: '/opt/stack/old/requirements/upper-constraints.txt'
       devstack_services:
         # Neutron services
         q-svc: true
@@ -439,6 +443,7 @@
       grenade_devstack_localrc:
         shared:
           NEUTRON_DEPLOY_MOD_WSGI: False
+          TEMPEST_VENV_UPPER_CONSTRAINTS: '/opt/stack/old/requirements/upper-constraints.txt'
       devstack_services:
         q-svc: true
         neutron-api: false
diff --git a/zuul.d/tempest-multinode.yaml b/zuul.d/tempest-multinode.yaml
@@ -90,6 +90,7 @@
         Q_ML2_PLUGIN_MECHANISM_DRIVERS: openvswitch
         Q_AGENT: openvswitch
         NEUTRON_DEPLOY_MOD_WSGI: true
+        TEMPEST_VENV_UPPER_CONSTRAINTS: '/opt/stack/requirements/upper-constraints.txt'
       devstack_services:
         br-ex-tcpdump: true
         br-int-flows: true
