Enforce policy for qos_policy_id attribute

Currently while updating 'qos_policy_id', authorization policies are not enforced and as a result it can be set or unset over port/network/fip by an unauthorized user. This patch fixes it by setting 'enforce_policy' to True for this attribute. Closes-Bug: #1957175 Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657 (cherry picked from commit cf54989be2) Conflicts: neutron_lib/api/definitions/qos_fip.py (cherry picked from commit f7c009ba24)
2022-01-18 10:45:17 +00:00 · 2022-01-18 10:45:17 +00:00 · 6bbae46890
commit 6bbae46890
parent 20c0cd6b49
2 changed files with 9 additions and 0 deletions
--- a/neutron_lib/api/definitions/qos.py
+++ b/neutron_lib/api/definitions/qos.py
@ -94,6 +94,7 @@ RESOURCE_ATTRIBUTE_MAP = {
            'allow_put': True,
            'is_visible': True,
            'default': None,
+            'enforce_policy': True,
            'validate': {'type:uuid_or_none': None}
        }
    },
@ -103,6 +104,7 @@ RESOURCE_ATTRIBUTE_MAP = {
            'allow_put': True,
            'is_visible': True,
            'default': None,
+            'enforce_policy': True,
            'validate': {'type:uuid_or_none': None}
        }
    }
--- a/releasenotes/notes/bug-1957175-6b2705d4772df7de.yaml
+++ b/releasenotes/notes/bug-1957175-6b2705d4772df7de.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Enforce policy for 'qos_policy_id' attribute of
+    port, network and fip so only authorized users
+    can set/unset it.
+    For more info see `bug LP#1957175 <https://bugs.launchpad.net/bugs/1957175>`_.