[Stable Only] Enforce policy for qos_policy_id attribute

Currently while updating 'qos_policy_id', authorization policies are not enforced and as a result it can be set or unset over port/network/fip by an unauthorized user. This patch fixes it by setting 'enforce_policy' to True for this attribute for Floating IP, for port and network it's fixed in neutron-lib[1]. This patch is only for stable releases as for releases since Yoga this is fixed in neutron-lib[2] itself. [1] https://review.opendev.org/q/Ieee1ca092e572ad4696105962fbc6de675454657 [2] https://review.opendev.org/c/openstack/neutron-lib/+/825088 Closes-Bug: #1957175 Change-Id: Ie0660e5e89e45c00b79464368ba337d27a824714 (cherry picked from commit 0c2af0f6e7)
2022-01-27 13:20:07 +05:30 · 2022-01-27 13:20:07 +05:30 · c5765cdd75
commit c5765cdd75
parent de13b6954e
2 changed files with 7 additions and 0 deletions
--- a/neutron/extensions/qos_fip.py
+++ b/neutron/extensions/qos_fip.py
@ -24,6 +24,7 @@ EXTENDED_ATTRIBUTES_2_0 = {
            'allow_put': True,
            'is_visible': True,
            'default': None,
+            'enforce_policy': True,
            'validate': {'type:uuid_or_none': None}}
    }
 }
--- a/releasenotes/notes/bug-1957175-764bc9c73b8d46e9.yaml
+++ b/releasenotes/notes/bug-1957175-764bc9c73b8d46e9.yaml
@ -0,0 +1,6 @@
+---
+fixes:
+  - |
+    Enforce policy for 'qos_policy_id' attribute of
+    Floating IP so only authorized users can set/unset it.
+    For more info see `bug LP#1957175 <https://bugs.launchpad.net/bugs/1957175>`_.