[S-RBAC] Fix new policies for get QoS rules APIs

During transition to the new secure RBAC API policies, we made mistake with policies for QoS rules by defining them to be available for ADMIN_OR_PROJECT_READER. This can't be like that as QoS rules don't have tenant_id attribute and belongs always to the owner of the QoS policy. To fix that, this patch introduces new rules: ADMIN_OR_PARENT_OWNER_READER ADMIN_OR_PARENT_OWNER_MEMBER and uses those in the QoS rules APIs. Closes-Bug: #2018727 Change-Id: I522aeab5094b3f4854303d5e18f3abf6130fb33c (cherry picked from commit be0dc09) (cherry picked from commit 572cc2d)
openstack · May 10, 2023 · 9177e90 · 9177e90
1 parent baee022
commit 9177e90
Show file tree

Hide file tree

Showing 3 changed files with 356 additions and 267 deletions.
diff --git a/neutron/conf/policies/base.py b/neutron/conf/policies/base.py
@@ -62,6 +62,20 @@ def policy_or(*args):
 RULE_PARENT_OWNER = 'rule:ext_parent_owner'
 RULE_SG_OWNER = 'rule:sg_owner'
 
+# In some cases we need to check owner of the parent resource, it's like that
+# for example for QoS rules (check owner of QoS policy rule belongs to) or
+# Floating IP port forwarding (check owner of FIP which PF is using). It's like
+# that becasue those resources (QOS rules, FIP PFs) don't have project_id
+# attribute at all and they belongs to the same project as parent resource (QoS
+# policy, FIP).
+PARENT_OWNER_MEMBER = 'role:member and ' + RULE_PARENT_OWNER
+PARENT_OWNER_READER = 'role:reader and ' + RULE_PARENT_OWNER
+ADMIN_OR_PARENT_OWNER_MEMBER = (
+    '(' + ADMIN + ') or (' + PARENT_OWNER_MEMBER + ')')
+ADMIN_OR_PARENT_OWNER_READER = (
+    '(' + ADMIN + ') or (' + PARENT_OWNER_READER + ')')
+
+
 rules = [
     policy.RuleDefault(
         'context_is_admin',

diff --git a/neutron/conf/policies/qos.py b/neutron/conf/policies/qos.py
@@ -125,7 +125,7 @@
 
     policy.DocumentedRuleDefault(
         name='get_policy_bandwidth_limit_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS bandwidth limit rule',
         operations=[
@@ -201,7 +201,7 @@
 
     policy.DocumentedRuleDefault(
         name='get_policy_packet_rate_limit_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS packet rate limit rule',
         operations=[
@@ -257,7 +257,7 @@
 
     policy.DocumentedRuleDefault(
         name='get_policy_dscp_marking_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS DSCP marking rule',
         operations=[
@@ -333,7 +333,7 @@
 
     policy.DocumentedRuleDefault(
         name='get_policy_minimum_bandwidth_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS minimum bandwidth rule',
         operations=[
@@ -408,7 +408,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_policy_minimum_packet_rate_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS minimum packet rate rule',
         operations=[
@@ -463,7 +463,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_alias_bandwidth_limit_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS bandwidth limit rule through alias',
         operations=[
@@ -514,7 +514,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_alias_dscp_marking_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS DSCP marking rule through alias',
         operations=[
@@ -565,7 +565,7 @@
     ),
     policy.DocumentedRuleDefault(
         name='get_alias_minimum_bandwidth_rule',
-        check_str=base.ADMIN_OR_PROJECT_READER,
+        check_str=base.ADMIN_OR_PARENT_OWNER_READER,
         scope_types=['project'],
         description='Get a QoS minimum bandwidth rule through alias',
         operations=[