openstack/neutron-lib
Code Issues Proposed changes

Make neutron-lib aware about system scope tokens

Browse Source 
To implement properly new secure personas like system-reader or
system-admin we need to make neutron and neutron-lib to be aware about
system scope tokens.
Such token don't have is_admin set to True but model_query build by
such token shouldn't filter resources on the project_id as it don't even
have project_id provider.

This patch also bumps minimum required version of some packages to be
able to use oslo_policy 3.6.2 (the same as Neutron really requires in fact)
as old lower constraint version 1.3.0 didn't had "system_scope"
attribute in Context class.
That change of oslo_policy minimum version requires also changes in some
other dependencies. But all are aligned with what is actually in Neutro
so what effectively was tested by all neutron jobs already.

Closes-Bug: #1918506
Change-Id: Ic1795045ac755e4b941791d6695c25c4f30574ef
This commit is contained in:
Slawek Kaplonski
2021-03-12 09:58:56 +01:00
parent 02e070fe09
commit 90ac6aeb58
4 changed files with 74 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
lower-constraints.txt
View File

@@ -27,7 +27,7 @@ imagesize==0.7.1
iso8601==0.1.11
isort==4.3.21
Jinja2==2.10
keystoneauth1==3.4.0
keystoneauth1==3.14.0
kombu==4.6.1
linecache2==1.0.0
Mako==0.4.0
@@ -42,23 +42,23 @@ os-client-config==1.28.0
os-ken==0.3.0
os-traits==0.9.0
oslo.concurrency==3.26.0
oslo.config==5.2.0
oslo.context==2.19.2
oslo.config==8.0.0
oslo.context==2.22.0
oslo.db==4.44.0
oslo.i18n==3.15.3
oslo.log==3.36.0
oslo.i18n==3.20.0
oslo.log==4.3.0
oslo.messaging==7.0.0
oslo.middleware==3.31.0
oslo.policy==1.30.0
oslo.serialization==2.18.0
oslo.policy==3.6.2
oslo.serialization==2.25.0
oslo.service==1.24.0
oslo.utils==3.33.0
oslo.utils==4.5.0
oslo.versionedobjects===1.31.2
oslotest==3.2.0
osprofiler===1.4.0
Paste==2.0.2
PasteDeploy==1.5.0
pbr==2.0.0
pbr==4.0.0
pecan===1.0.0
pika==0.10.0
pika-pool==0.1.3
@@ -67,7 +67,7 @@ Pygments==2.2.0
pyinotify==0.9.6
pylint==2.2.0
pyparsing==2.1.0
python-dateutil==2.5.3
python-dateutil==2.7.0
python-editor==1.0.3
python-mimeparse==1.6.0
python-subunit==1.0.0
@@ -75,9 +75,9 @@ pytz==2013.6
PyYAML==5.3.1
reno==3.1.0
repoze.lru==0.7
requests==2.14.2
requests==2.18.0
requestsexceptions==1.2.0
rfc3986==0.3.1
rfc3986==1.2.0
Routes==2.3.1
setproctitle==1.1.10
snowballstemmer==1.2.1

6
neutron_lib/db/utils.py
View File

@@ -166,9 +166,11 @@ def model_query_scope_is_project(context, model):
:returns: True if the context is not admin and not advsvc and the model
has a project_id. False otherwise.
"""
# Unless a context has 'admin' or 'advanced-service' rights the
# Unless a context is a system_scope token or
# context has 'admin' or 'advanced-service' rights the
# query will be scoped to a single project_id
return ((not context.is_admin and hasattr(model, 'project_id')) and
return (context.system_scope != 'all' and
(not context.is_admin and hasattr(model, 'project_id')) and
(not context.is_advsvc and hasattr(model, 'project_id')))

49
neutron_lib/tests/unit/db/test_utils.py
View File

@@ -18,6 +18,7 @@ from sqlalchemy.ext import declarative
from sqlalchemy import orm
from neutron_lib.api import attributes
from neutron_lib import context
from neutron_lib.db import utils
from neutron_lib import exceptions as n_exc
@@ -87,3 +88,51 @@ class TestUtils(base.BaseTestCase):
}
utils.resource_fields(r, ['name'])
mock_populate.assert_called_once_with({'name': 'n'})
def test_model_query_scope_is_project_admin(self):
ctx = context.Context(project_id='some project', is_admin=True)
model = mock.Mock(project_id='project')
self.assertFalse(
utils.model_query_scope_is_project(ctx, model))
# Ensure that project_id isn't mocked
del model.project_id
self.assertFalse(
utils.model_query_scope_is_project(ctx, model))
def test_model_query_scope_is_project_advsvc(self):
ctx = context.Context(project_id='some project', is_advsvc=True)
model = mock.Mock(project_id='project')
self.assertFalse(
utils.model_query_scope_is_project(ctx, model))
# Ensure that project_id isn't mocked
del model.project_id
self.assertFalse(
utils.model_query_scope_is_project(ctx, model))
def test_model_query_scope_is_project_system_scope(self):
ctx = context.Context(system_scope='all')
model = mock.Mock(project_id='project')
self.assertFalse(
utils.model_query_scope_is_project(ctx, model))
# Ensure that project_id isn't mocked
del model.project_id
self.assertFalse(
utils.model_query_scope_is_project(ctx, model))
def test_model_query_scope_is_project_regular_user(self):
ctx = context.Context(project_id='some project')
model = mock.Mock(project_id='project')
self.assertTrue(
utils.model_query_scope_is_project(ctx, model))
# Ensure that project_id isn't mocked
del model.project_id
self.assertFalse(
utils.model_query_scope_is_project(ctx, model))

18
requirements.txt
View File

@@ -2,25 +2,25 @@
# of appearance. Changing the order has an impact on the overall integration
# process, which may cause wedges in the gate later.
pbr!=2.1.0,>=2.0.0 # Apache-2.0
pbr>=4.0.0 # Apache-2.0
SQLAlchemy>=1.2.0 # MIT
pecan!=1.0.2,!=1.0.3,!=1.0.4,!=1.2,>=1.0.0 # BSD
keystoneauth1>=3.4.0 # Apache-2.0
keystoneauth1>=3.14.0 # Apache-2.0
netaddr>=0.7.18 # BSD
stevedore>=1.20.0 # Apache-2.0
os-ken >= 0.3.0 # Apache-2.0
oslo.concurrency>=3.26.0 # Apache-2.0
oslo.config>=5.2.0 # Apache-2.0
oslo.context>=2.19.2 # Apache-2.0
oslo.config>=8.0.0 # Apache-2.0
oslo.context>=2.22.0 # Apache-2.0
oslo.db>=4.44.0 # Apache-2.0
oslo.i18n>=3.15.3 # Apache-2.0
oslo.log>=3.36.0 # Apache-2.0
oslo.i18n>=3.20.0 # Apache-2.0
oslo.log>=4.3.0 # Apache-2.0
oslo.messaging>=7.0.0 # Apache-2.0
oslo.policy>=1.30.0 # Apache-2.0
oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
oslo.policy>=3.6.2 # Apache-2.0
oslo.serialization>=2.25.0 # Apache-2.0
oslo.service!=1.28.1,>=1.24.0 # Apache-2.0
oslo.utils>=3.33.0 # Apache-2.0
oslo.utils>=4.5.0 # Apache-2.0
oslo.versionedobjects>=1.31.2 # Apache-2.0
osprofiler>=1.4.0 # Apache-2.0
setproctitle>=1.1.10 # BSD