Public bug reported: Neutron's RBAC system supports security group sharing but it's impossible to use with changed policies. When RBAC for security groups was added [1] field "shared" was not added to the database. As result, we cannot use this flag for policy checks and SG sharing will work only with default [2] policy, and it is impossible to configure the policies like:
"shared_security_groups": "field:security_groups:shared=True", "get_security_group": "rule:admin or rule:shared_security_groups", How to reproduce: 1. change policies and add check for 'shared' field as mentioned above; 2. create new SG with admin permissions; 3. share the SG to another project; 4. try to get this SG by ID with project owner permissions; Such policies work perfectly for other RBAC objects like networks, subnet pools etc. [1] https://review.opendev.org/c/openstack/neutron/+/635311 [2] https://github.com/openstack/neutron/blob/master/neutron/conf/policies/security_group.py#L66 ** Affects: neutron Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1933242 Title: Unable to show security groups for non-admin users if custom policies using. Status in neutron: New Bug description: Neutron's RBAC system supports security group sharing but it's impossible to use with changed policies. When RBAC for security groups was added [1] field "shared" was not added to the database. As result, we cannot use this flag for policy checks and SG sharing will work only with default [2] policy, and it is impossible to configure the policies like: "shared_security_groups": "field:security_groups:shared=True", "get_security_group": "rule:admin or rule:shared_security_groups", How to reproduce: 1. change policies and add check for 'shared' field as mentioned above; 2. create new SG with admin permissions; 3. share the SG to another project; 4. try to get this SG by ID with project owner permissions; Such policies work perfectly for other RBAC objects like networks, subnet pools etc. [1] https://review.opendev.org/c/openstack/neutron/+/635311 [2] https://github.com/openstack/neutron/blob/master/neutron/conf/policies/security_group.py#L66 To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1933242/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
