Browse Source

List SG rules which belongs to tenant's SG

In case when user's security group contains rules created e.g.
by admin, and such rules has got admin's tenant as tenant_id,
owner of security group should be able to see those rules.
Some time ago this was addressed for request:

GET /v2.0/security-groups/<sec_group_id>

But it is also required to behave in same way for

GET /v2.0/security-group-rules

So this patch fixes this behaviour for listing of security
group rules.
To achieve that this patch also adds new policy rule:
ADMIN_OWNER_OR_SG_OWNER which is similar to already existing
ADMIN_OWNER_OR_NETWORK_OWNER used e.g. for listing or creating
ports.

Conflicts:
    neutron/conf/policies/security_group.py

Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c
Closes-Bug: #1824248
(cherry picked from commit b898d2e3c0)
tags/13.0.7
Slawek Kaplonski 10 months ago
parent
commit
993a344559
5 changed files with 26 additions and 5 deletions
  1. +3
    -1
      etc/policy.json
  2. +12
    -2
      neutron/db/securitygroups_db.py
  3. +2
    -1
      neutron/policy.py
  4. +3
    -1
      neutron/tests/etc/policy.json
  5. +6
    -0
      releasenotes/notes/show-all-security-group-rules-for-security-group-owner-6635dd3e4c6ab5ee.yaml

+ 3
- 1
etc/policy.json View File

@@ -14,6 +14,8 @@
"external": "field:networks:router:external=True",
"default": "rule:admin_or_owner",
"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s",
"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner",

"create_subnet": "rule:admin_or_network_owner",
"create_subnet:segment_id": "rule:admin_only",
@@ -244,7 +246,7 @@

"create_security_group_rule": "rule:admin_or_owner",
"get_security_group_rules": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_owner_or_sg_owner",
"delete_security_group_rule": "rule:admin_or_owner",

"get_loggable_resources": "rule:admin_only",


+ 12
- 2
neutron/db/securitygroups_db.py View File

@@ -672,8 +672,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
pager = base_obj.Pager(
sorts=sorts, marker=marker, limit=limit, page_reverse=page_reverse)

# NOTE(slaweq): use admin context here to be able to get all rules
# which fits filters' criteria. Later in policy engine rules will be
# filtered and only those which are allowed according to policy will
# be returned
rule_objs = sg_obj.SecurityGroupRule.get_objects(
context, _pager=pager, validate_filters=False, **filters
context_lib.get_admin_context(), _pager=pager,
validate_filters=False, **filters
)
return [
self._make_security_group_rule_dict(obj.db_obj, fields)
@@ -688,7 +693,12 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):

@db_api.retry_if_session_inactive()
def get_security_group_rule(self, context, id, fields=None):
security_group_rule = self._get_security_group_rule(context, id)
# NOTE(slaweq): use admin context here to be able to get all rules
# which fits filters' criteria. Later in policy engine rules will be
# filtered and only those which are allowed according to policy will
# be returned
security_group_rule = self._get_security_group_rule(
context_lib.get_admin_context(), id)
return self._make_security_group_rule_dict(
security_group_rule.db_obj, fields)



+ 2
- 1
neutron/policy.py View File

@@ -43,7 +43,8 @@ ADVSVC_CTX_POLICY = 'context_is_advsvc'

# Identify the attribute used by a resource to reference another resource
_RESOURCE_FOREIGN_KEYS = {
net_apidef.COLLECTION_NAME: 'network_id'
net_apidef.COLLECTION_NAME: 'network_id',
'security_groups': 'security_group_id'
}




+ 3
- 1
neutron/tests/etc/policy.json View File

@@ -14,6 +14,8 @@
"external": "field:networks:router:external=True",
"default": "rule:admin_or_owner",
"admin_or_ext_parent_owner": "rule:context_is_admin or tenant_id:%(ext_parent:tenant_id)s",
"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s",
"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner",

"create_subnet": "rule:admin_or_network_owner",
"create_subnet:segment_id": "rule:admin_only",
@@ -244,7 +246,7 @@

"create_security_group_rule": "rule:admin_or_owner",
"get_security_group_rules": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_or_owner",
"get_security_group_rule": "rule:admin_owner_or_sg_owner",
"delete_security_group_rule": "rule:admin_or_owner",

"get_loggable_resources": "rule:admin_only",


+ 6
- 0
releasenotes/notes/show-all-security-group-rules-for-security-group-owner-6635dd3e4c6ab5ee.yaml View File

@@ -0,0 +1,6 @@
---
fixes:
- |
Owners of security groups now see all security group rules which belong to
the security group, even if the rule was created by the admin user.
Fixes bug `1824248 <https://bugs.launchpad.net/neutron/+bug/1824248>`_.

Loading…
Cancel
Save