From cf54989be21e1229eae6a34af5b84c2bfc5aface Mon Sep 17 00:00:00 2001 From: yatinkarel Date: Tue, 18 Jan 2022 10:45:17 +0000 Subject: [PATCH] Enforce policy for qos_policy_id attribute Currently while updating 'qos_policy_id', authorization policies are not enforced and as a result it can be set or unset over port/network/fip by an unauthorized user. This patch fixes it by setting 'enforce_policy' to True for this attribute. Closes-Bug: #1957175 Change-Id: Ieee1ca092e572ad4696105962fbc6de675454657 --- neutron_lib/api/definitions/qos.py | 2 ++ neutron_lib/api/definitions/qos_fip.py | 1 + releasenotes/notes/bug-1957175-6b2705d4772df7de.yaml | 7 +++++++ 3 files changed, 10 insertions(+) create mode 100644 releasenotes/notes/bug-1957175-6b2705d4772df7de.yaml diff --git a/neutron_lib/api/definitions/qos.py b/neutron_lib/api/definitions/qos.py index 2b76990ba..64a8b30df 100644 --- a/neutron_lib/api/definitions/qos.py +++ b/neutron_lib/api/definitions/qos.py @@ -94,6 +94,7 @@ RESOURCE_ATTRIBUTE_MAP = { 'allow_put': True, 'is_visible': True, 'default': None, + 'enforce_policy': True, 'validate': {'type:uuid_or_none': None} } }, @@ -103,6 +104,7 @@ RESOURCE_ATTRIBUTE_MAP = { 'allow_put': True, 'is_visible': True, 'default': None, + 'enforce_policy': True, 'validate': {'type:uuid_or_none': None} } } diff --git a/neutron_lib/api/definitions/qos_fip.py b/neutron_lib/api/definitions/qos_fip.py index 642fef19a..57f5e85d5 100644 --- a/neutron_lib/api/definitions/qos_fip.py +++ b/neutron_lib/api/definitions/qos_fip.py @@ -31,6 +31,7 @@ RESOURCE_ATTRIBUTE_MAP = { 'allow_put': True, 'is_visible': True, 'default': None, + 'enforce_policy': True, 'validate': {'type:uuid_or_none': None}} } } diff --git a/releasenotes/notes/bug-1957175-6b2705d4772df7de.yaml b/releasenotes/notes/bug-1957175-6b2705d4772df7de.yaml new file mode 100644 index 000000000..4b7cd4f84 --- /dev/null +++ b/releasenotes/notes/bug-1957175-6b2705d4772df7de.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Enforce policy for 'qos_policy_id' attribute of + port, network and fip so only authorized users + can set/unset it. + For more info see `bug LP#1957175 `_.