List SG rules which belongs to tenant's SG
In case when user's security group contains rules created e.g. by admin, and such rules has got admin's tenant as tenant_id, owner of security group should be able to see those rules. Some time ago this was addressed for request: GET /v2.0/security-groups/<sec_group_id> But it is also required to behave in same way for GET /v2.0/security-group-rules So this patch fixes this behaviour for listing of security group rules. To achieve that this patch also adds new policy rule: ADMIN_OWNER_OR_SG_OWNER which is similar to already existing ADMIN_OWNER_OR_NETWORK_OWNER used e.g. for listing or creating ports. Conflicts: etc/policy.json neutron/policy.py Change-Id: I09114712582d2d38d14cf1683b87a8ce3a8e8c3c Closes-Bug: #1824248 (cherry picked from commitb898d2e3c0
) (cherry picked from commit36d1086569
)
This commit is contained in:
parent
3559d8bcc7
commit
e00ebee053
|
@ -13,6 +13,8 @@
|
||||||
"shared_address_scopes": "field:address_scopes:shared=True",
|
"shared_address_scopes": "field:address_scopes:shared=True",
|
||||||
"external": "field:networks:router:external=True",
|
"external": "field:networks:router:external=True",
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
|
"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s",
|
||||||
|
"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner",
|
||||||
|
|
||||||
"create_subnet": "rule:admin_or_network_owner",
|
"create_subnet": "rule:admin_or_network_owner",
|
||||||
"create_subnet:segment_id": "rule:admin_only",
|
"create_subnet:segment_id": "rule:admin_only",
|
||||||
|
@ -230,7 +232,7 @@
|
||||||
"update_security_group": "rule:admin_or_owner",
|
"update_security_group": "rule:admin_or_owner",
|
||||||
"delete_security_group": "rule:admin_or_owner",
|
"delete_security_group": "rule:admin_or_owner",
|
||||||
"get_security_group_rules": "rule:admin_or_owner",
|
"get_security_group_rules": "rule:admin_or_owner",
|
||||||
"get_security_group_rule": "rule:admin_or_owner",
|
"get_security_group_rule": "rule:admin_owner_or_sg_owner",
|
||||||
"create_security_group_rule": "rule:admin_or_owner",
|
"create_security_group_rule": "rule:admin_or_owner",
|
||||||
"delete_security_group_rule": "rule:admin_or_owner",
|
"delete_security_group_rule": "rule:admin_or_owner",
|
||||||
|
|
||||||
|
|
|
@ -34,7 +34,8 @@ RESOURCE_ATTRIBUTE_MAP = attrs.RESOURCES
|
||||||
# Identify the attribute used by a resource to reference another resource
|
# Identify the attribute used by a resource to reference another resource
|
||||||
|
|
||||||
RESOURCE_FOREIGN_KEYS = {
|
RESOURCE_FOREIGN_KEYS = {
|
||||||
net_def.COLLECTION_NAME: 'network_id'
|
net_def.COLLECTION_NAME: 'network_id',
|
||||||
|
'security_groups': 'security_group_id'
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -679,8 +679,13 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
||||||
pager = base_obj.Pager(
|
pager = base_obj.Pager(
|
||||||
sorts=sorts, marker=marker, limit=limit, page_reverse=page_reverse)
|
sorts=sorts, marker=marker, limit=limit, page_reverse=page_reverse)
|
||||||
|
|
||||||
|
# NOTE(slaweq): use admin context here to be able to get all rules
|
||||||
|
# which fits filters' criteria. Later in policy engine rules will be
|
||||||
|
# filtered and only those which are allowed according to policy will
|
||||||
|
# be returned
|
||||||
rule_objs = sg_obj.SecurityGroupRule.get_objects(
|
rule_objs = sg_obj.SecurityGroupRule.get_objects(
|
||||||
context, _pager=pager, validate_filters=False, **filters
|
context_lib.get_admin_context(), _pager=pager,
|
||||||
|
validate_filters=False, **filters
|
||||||
)
|
)
|
||||||
return [
|
return [
|
||||||
self._make_security_group_rule_dict(obj.db_obj, fields)
|
self._make_security_group_rule_dict(obj.db_obj, fields)
|
||||||
|
@ -695,7 +700,12 @@ class SecurityGroupDbMixin(ext_sg.SecurityGroupPluginBase):
|
||||||
|
|
||||||
@db_api.retry_if_session_inactive()
|
@db_api.retry_if_session_inactive()
|
||||||
def get_security_group_rule(self, context, id, fields=None):
|
def get_security_group_rule(self, context, id, fields=None):
|
||||||
security_group_rule = self._get_security_group_rule(context, id)
|
# NOTE(slaweq): use admin context here to be able to get all rules
|
||||||
|
# which fits filters' criteria. Later in policy engine rules will be
|
||||||
|
# filtered and only those which are allowed according to policy will
|
||||||
|
# be returned
|
||||||
|
security_group_rule = self._get_security_group_rule(
|
||||||
|
context_lib.get_admin_context(), id)
|
||||||
return self._make_security_group_rule_dict(
|
return self._make_security_group_rule_dict(
|
||||||
security_group_rule.db_obj, fields)
|
security_group_rule.db_obj, fields)
|
||||||
|
|
||||||
|
|
|
@ -13,6 +13,8 @@
|
||||||
"shared_address_scopes": "field:address_scopes:shared=True",
|
"shared_address_scopes": "field:address_scopes:shared=True",
|
||||||
"external": "field:networks:router:external=True",
|
"external": "field:networks:router:external=True",
|
||||||
"default": "rule:admin_or_owner",
|
"default": "rule:admin_or_owner",
|
||||||
|
"admin_or_sg_owner": "rule:context_is_admin or tenant_id:%(security_group:tenant_id)s",
|
||||||
|
"admin_owner_or_sg_owner": "rule:owner or rule:admin_or_sg_owner",
|
||||||
|
|
||||||
"create_subnet": "rule:admin_or_network_owner",
|
"create_subnet": "rule:admin_or_network_owner",
|
||||||
"create_subnet:segment_id": "rule:admin_only",
|
"create_subnet:segment_id": "rule:admin_only",
|
||||||
|
@ -230,7 +232,7 @@
|
||||||
"update_security_group": "rule:admin_or_owner",
|
"update_security_group": "rule:admin_or_owner",
|
||||||
"delete_security_group": "rule:admin_or_owner",
|
"delete_security_group": "rule:admin_or_owner",
|
||||||
"get_security_group_rules": "rule:admin_or_owner",
|
"get_security_group_rules": "rule:admin_or_owner",
|
||||||
"get_security_group_rule": "rule:admin_or_owner",
|
"get_security_group_rule": "rule:admin_owner_or_sg_owner",
|
||||||
"create_security_group_rule": "rule:admin_or_owner",
|
"create_security_group_rule": "rule:admin_or_owner",
|
||||||
"delete_security_group_rule": "rule:admin_or_owner",
|
"delete_security_group_rule": "rule:admin_or_owner",
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
fixes:
|
||||||
|
- |
|
||||||
|
Owners of security groups now see all security group rules which belong to
|
||||||
|
the security group, even if the rule was created by the admin user.
|
||||||
|
Fixes bug `1824248 <https://bugs.launchpad.net/neutron/+bug/1824248>`_.
|
Loading…
Reference in New Issue