Skip to content

Commit cde40ac

Browse files
ralonsohAlex-Welsh
ralonsoh
authored and
Alex-Welsh
committed
Fix port RBAC policies to require network ownership
Several default port policies that require network ownership incorrectly included PROJECT_MANAGER. That rule checks the port project_id, not network ownership, so any project manager could perform those actions on shared/RBAC networks where they do not own the network. Remove PROJECT_MANAGER from the affected create/update port policies and rely on NET_OWNER_MEMBER or ADMIN_OR_NET_OWNER_MEMBER instead. Project managers who own the network remain authorized through the default Keystone role implication chain (manager implies member). Closes-Bug: #2152115 Assisted-By: Claude Composer 2.5 Signed-off-by: Rodolfo Alonso Hernandez <ralonsoh@redhat.com> Change-Id: I4e258d28cdf72adcc13fc9d03749256c65881c45 (cherry picked from commit d0f61db)
1 parent b6e3e68 commit cde40ac

4 files changed

Lines changed: 137 additions & 483 deletions

File tree

neutron/conf/policies/base.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@
7676
# related to the "network owner" and network isn't really parent of the subnet
7777
# or port. Because of that, using parent owner in those cases may be
7878
# missleading for users so it's better to keep also "network owner" rules.
79+
NET_OWNER_MANAGER = 'role:manager and ' + RULE_NET_OWNER
7980
NET_OWNER_MEMBER = 'role:member and ' + RULE_NET_OWNER
8081
NET_OWNER_READER = 'role:reader and ' + RULE_NET_OWNER
8182
ADMIN_OR_NET_OWNER_MEMBER = (

neutron/conf/policies/port.py

Lines changed: 1 addition & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,6 @@
100100
check_str=neutron_policy.policy_or(
101101
'not rule:network_device',
102102
base.ADMIN_OR_SERVICE,
103-
base.PROJECT_MANAGER,
104103
base.NET_OWNER_MEMBER
105104
),
106105
scope_types=['project'],
@@ -119,7 +118,6 @@
119118
name='create_port:mac_address',
120119
check_str=neutron_policy.policy_or(
121120
base.ADMIN_OR_SERVICE,
122-
base.PROJECT_MANAGER,
123121
base.NET_OWNER_MEMBER),
124122
scope_types=['project'],
125123
description='Specify ``mac_address`` attribute when creating a port',
@@ -136,7 +134,6 @@
136134
name='create_port:fixed_ips',
137135
check_str=neutron_policy.policy_or(
138136
base.ADMIN_OR_SERVICE,
139-
base.PROJECT_MANAGER,
140137
base.NET_OWNER_MEMBER,
141138
'rule:shared'),
142139
scope_types=['project'],
@@ -155,7 +152,6 @@
155152
name='create_port:fixed_ips:ip_address',
156153
check_str=neutron_policy.policy_or(
157154
base.ADMIN_OR_SERVICE,
158-
base.PROJECT_MANAGER,
159155
base.NET_OWNER_MEMBER),
160156
scope_types=['project'],
161157
description='Specify IP address in ``fixed_ips`` when creating a port',
@@ -172,7 +168,6 @@
172168
name='create_port:fixed_ips:subnet_id',
173169
check_str=neutron_policy.policy_or(
174170
base.ADMIN_OR_SERVICE,
175-
base.PROJECT_MANAGER,
176171
base.NET_OWNER_MEMBER,
177172
'rule:shared'),
178173
scope_types=['project'],
@@ -191,7 +186,6 @@
191186
name='create_port:port_security_enabled',
192187
check_str=neutron_policy.policy_or(
193188
base.ADMIN_OR_SERVICE,
194-
base.PROJECT_MANAGER,
195189
base.NET_OWNER_MEMBER),
196190
scope_types=['project'],
197191
description=(
@@ -258,7 +252,6 @@
258252
name='create_port:allowed_address_pairs',
259253
check_str=neutron_policy.policy_or(
260254
base.ADMIN_OR_NET_OWNER_MEMBER,
261-
base.PROJECT_MANAGER,
262255
base.SERVICE),
263256
scope_types=['project'],
264257
description=(
@@ -276,7 +269,6 @@
276269
name='create_port:allowed_address_pairs:mac_address',
277270
check_str=neutron_policy.policy_or(
278271
base.ADMIN_OR_NET_OWNER_MEMBER,
279-
base.PROJECT_MANAGER,
280272
base.SERVICE),
281273
scope_types=['project'],
282274
description=(
@@ -294,7 +286,6 @@
294286
name='create_port:allowed_address_pairs:ip_address',
295287
check_str=neutron_policy.policy_or(
296288
base.ADMIN_OR_NET_OWNER_MEMBER,
297-
base.PROJECT_MANAGER,
298289
base.SERVICE),
299290
scope_types=['project'],
300291
description=(
@@ -496,7 +487,6 @@
496487
check_str=neutron_policy.policy_or(
497488
'not rule:network_device',
498489
base.ADMIN_OR_SERVICE,
499-
base.PROJECT_MANAGER,
500490
base.NET_OWNER_MEMBER,
501491
),
502492
scope_types=['project'],
@@ -515,7 +505,7 @@
515505
name='update_port:mac_address',
516506
check_str=neutron_policy.policy_or(
517507
base.ADMIN_OR_SERVICE,
518-
base.PROJECT_MANAGER
508+
base.NET_OWNER_MANAGER,
519509
),
520510
scope_types=['project'],
521511
description='Update ``mac_address`` attribute of a port',
@@ -532,7 +522,6 @@
532522
name='update_port:fixed_ips',
533523
check_str=neutron_policy.policy_or(
534524
base.ADMIN_OR_SERVICE,
535-
base.PROJECT_MANAGER,
536525
base.NET_OWNER_MEMBER
537526
),
538527
scope_types=['project'],
@@ -550,7 +539,6 @@
550539
name='update_port:fixed_ips:ip_address',
551540
check_str=neutron_policy.policy_or(
552541
base.ADMIN_OR_SERVICE,
553-
base.PROJECT_MANAGER,
554542
base.NET_OWNER_MEMBER
555543
),
556544
scope_types=['project'],
@@ -571,7 +559,6 @@
571559
name='update_port:fixed_ips:subnet_id',
572560
check_str=neutron_policy.policy_or(
573561
base.ADMIN_OR_SERVICE,
574-
base.PROJECT_MANAGER,
575562
base.NET_OWNER_MEMBER,
576563
'rule:shared'
577564
),
@@ -594,7 +581,6 @@
594581
name='update_port:port_security_enabled',
595582
check_str=neutron_policy.policy_or(
596583
base.ADMIN_OR_SERVICE,
597-
base.PROJECT_MANAGER,
598584
base.NET_OWNER_MEMBER
599585
),
600586
scope_types=['project'],
@@ -653,7 +639,6 @@
653639
name='update_port:allowed_address_pairs',
654640
check_str=neutron_policy.policy_or(
655641
base.ADMIN_OR_NET_OWNER_MEMBER,
656-
base.PROJECT_MANAGER,
657642
base.SERVICE),
658643
scope_types=['project'],
659644
description='Update ``allowed_address_pairs`` attribute of a port',
@@ -668,7 +653,6 @@
668653
name='update_port:allowed_address_pairs:mac_address',
669654
check_str=neutron_policy.policy_or(
670655
base.ADMIN_OR_NET_OWNER_MEMBER,
671-
base.PROJECT_MANAGER,
672656
base.SERVICE),
673657
scope_types=['project'],
674658
description=(
@@ -686,7 +670,6 @@
686670
name='update_port:allowed_address_pairs:ip_address',
687671
check_str=neutron_policy.policy_or(
688672
base.ADMIN_OR_NET_OWNER_MEMBER,
689-
base.PROJECT_MANAGER,
690673
base.SERVICE),
691674
scope_types=['project'],
692675
description=(

0 commit comments

Comments
 (0)