Browse Source

Merge "List SG rules which belongs to tenant's SG" into stable/queens

changes/76/708576/1
Zuul 4 months ago
committed by Gerrit Code Review
parent
commit
1bad551949
5 changed files with 26 additions and 5 deletions
  1. +3
    -1
      etc/policy.json
  2. +2
    -1
      neutron/api/v2/attributes.py
  3. +12
    -2
      neutron/db/securitygroups_db.py
  4. +3
    -1
      neutron/tests/etc/policy.json
  5. +6
    -0
      releasenotes/notes/show-all-security-group-rules-for-security-group-owner-6635dd3e4c6ab5ee.yaml

+ 3
- 1
etc/policy.json View File

@@ -13,6 +13,8 @@
"shared_address_scopes": "field:address_scopes:shared=True",
"external": "field:networks:router:external=True",
"default": "rule:admin_or_owner",
"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s",
"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner",

"create_subnet": "rule:admin_or_network_owner",
"create_subnet:segment_id": "rule:admin_only",
@@ -230,7 +232,7 @@
"update_security_group": "rule:admin_or_owner",
"delete_security_group": "rule:admin_or_owner",
"get_security_group_rules": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_owner_or_sg_owner",
"create_security_group_rule": "rule:admin_or_owner",
"delete_security_group_rule": "rule:admin_or_owner",



+ 2
- 1
neutron/api/v2/attributes.py View File

@@ -34,7 +34,8 @@ RESOURCE_ATTRIBUTE_MAP = attrs.RESOURCES
# Identify the attribute used by a resource to reference another resource

RESOURCE_FOREIGN_KEYS = {
net_def.COLLECTION_NAME: 'network_id'
net_def.COLLECTION_NAME: 'network_id',
'security_groups': 'security_group_id'
}




+ 12
- 2
neutron/db/securitygroups_db.py View File

@@ -679,8 +679,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
pager = base_obj.Pager(
sorts=sorts, marker=marker, limit=limit, page_reverse=page_reverse)

# NOTE(slaweq): use admin context here to be able to get all rules
# which fits filters' criteria. Later in policy engine rules will be
# filtered and only those which are allowed according to policy will
# be returned
rule_objs = sg_obj.SecurityGroupRule.get_objects(
context, _pager=pager, validate_filters=False, **filters
context_lib.get_admin_context(), _pager=pager,
validate_filters=False, **filters
)
return [
self._make_security_group_rule_dict(obj.db_obj, fields)
@@ -695,7 +700,12 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):

@db_api.retry_if_session_inactive()
def get_security_group_rule(self, context, id, fields=None):
security_group_rule = self._get_security_group_rule(context, id)
# NOTE(slaweq): use admin context here to be able to get all rules
# which fits filters' criteria. Later in policy engine rules will be
# filtered and only those which are allowed according to policy will
# be returned
security_group_rule = self._get_security_group_rule(
context_lib.get_admin_context(), id)
return self._make_security_group_rule_dict(
security_group_rule.db_obj, fields)



+ 3
- 1
neutron/tests/etc/policy.json View File

@@ -13,6 +13,8 @@
"shared_address_scopes": "field:address_scopes:shared=True",
"external": "field:networks:router:external=True",
"default": "rule:admin_or_owner",
"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s",
"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner",

"create_subnet": "rule:admin_or_network_owner",
"create_subnet:segment_id": "rule:admin_only",
@@ -230,7 +232,7 @@
"update_security_group": "rule:admin_or_owner",
"delete_security_group": "rule:admin_or_owner",
"get_security_group_rules": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_owner_or_sg_owner",
"create_security_group_rule": "rule:admin_or_owner",
"delete_security_group_rule": "rule:admin_or_owner",



+ 6
- 0
releasenotes/notes/show-all-security-group-rules-for-security-group-owner-6635dd3e4c6ab5ee.yaml View File

@@ -0,0 +1,6 @@
---
fixes:
- |
Owners of security groups now see all security group rules which belong to
the security group, even if the rule was created by the admin user.
Fixes bug `1824248 <https://bugs.launchpad.net/neutron/+bug/1824248>`_.

Loading…
Cancel
Save