yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #46047
[Bug 1543756] [NEW] RBAC: Port creation on a shared network failed if --fixed-ip is specified in 'neutron port-create' command
Public bug reported:
The network demo-net, owned by user demo, is shared with tenant demo-2.
The sharing is created by demo using the command
neutron rbac-create --type network --action access_as_shared --target-
tenant <demo-2-tenant-id> demo-net
A user on the demo-2 tenant is can see the network demo-net:
stack@Ubuntu-38:~/DEVSTACK/demo$ neutron net-list
+--------------------------------------+----------+--------------------------------------------------+
| id | name | subnets |
+--------------------------------------+----------+--------------------------------------------------+
| 85bb7612-e5fa-440c-bacf-86c5929298f3 | demo-net | e66487b6-430b-4fb1-8a87-ed28dd378c43 10.1.2.0/24 |
| | | ff01f7ca-d838-42dc-8d86-1b2830bc4824 10.1.3.0/24 |
| 5beb4080-4cf0-4921-9bbf-a7f65df6367f | public | 57485a80-815c-45ef-a0d1-ce11939d7fab |
| | | 38d1ddad-8084-4d32-b142-240e16fcd5df |
+--------------------------------------+----------+--------------------------------------------------+
The owner of network demo-net is able to create a port using the command 'neutron port-create demo-net --fixed-ip ... :
stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824
Created a new port:
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| dns_name | |
| fixed_ips | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.6"} |
| id | 37402f22-fcd5-4b01-8b01-c6734573d7a8 |
| mac_address | fa:16:3e:44:71:ad |
| name | |
| network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
| security_groups | 7db11aa0-3d0d-40d1-ae25-e4c02b8886ce |
| status | DOWN |
| tenant_id | 54913ee1ca89458ba792d685c799484d |
+-----------------------+---------------------------------------------------------------------------------+
The user demo-2 of tenant demo-2 is able to create a port using the
network demo-net:
stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net
Created a new port:
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| dns_name | |
| fixed_ips | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.5"} |
| id | bab87cc9-2c83-489d-a973-1a42872a3dd4 |
| mac_address | fa:16:3e:c6:93:e5 |
| name | |
| network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
| security_groups | 465c1c6f-e974-40e0-826e-72a2cc7d3fa4 |
| status | DOWN |
| tenant_id | 3dd36d3f99494454bd4f887201684b63 |
+-----------------------+---------------------------------------------------------------------------------+
If the same user wants to create a port on demo-net using with a fixed
IP on the 10.1.2.0/24 subnet. The port creation failed:
stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824
(rule:create_port and rule:create_port:fixed_ips) on {'binding:host_id': <object object at 0x7f1935be82a0>, 'name': '', 'allowed_address_pairs': <object object at 0x7f1935be82a0>, u'admin_state_up': True, u'network_id': u'85bb7612-e5fa-440c-bacf-86c5929298f3', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'extra_dhcp_opts': None, 'mac_address': <object object at 0x7f1935be82a0>, 'binding:vnic_type': 'normal', 'device_owner': '', 'dns_name': '', 'binding:profile': <object object at 0x7f1935be82a0>, u'fixed_ips': [{u'subnet_id': u'ff01f7ca-d838-42dc-8d86-1b2830bc4824'}], u'network:tenant_id': u'54913ee1ca89458ba792d685c799484d', 'security_groups': <object object at 0x7f1935be82a0>, 'device_id': ''} by {'domain': None, 'project_name': u'demo-2', 'tenant_name': u'demo-2', 'project_domain': None, 'timestamp': '2016-02-09 19:20:48.555574', 'auth_token': 'afa5047cd78b4774a6fd3ab3944f3f97', 'resource_uuid': None, 'is_admin': False, 'user': u'ca2f2bb189e6401c9c27214d4aa33563', 'tenant': u'3dd36d3f99494454bd4f887201684b63', 'read_only': False, 'project_id': u'3dd36d3f99494454bd4f887201684b63', 'user_id': u'ca2f2bb189e6401c9c27214d4aa33563', 'show_deleted': False, 'roles': [u'_member_'], 'user_identity': 'ca2f2bb189e6401c9c27214d4aa33563 3dd36d3f99494454bd4f887201684b63 - - -', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'request_id': 'req-7de91903-43ed-4940-a645-3418d10413ec', 'user_domain': None, 'user_name': u'demo-2'} disallowed by policy
stack@Ubuntu-38:~/DEVSTACK/devstack$
The rbac rule for sharing of network demo-net with tenant "demo-2" is:
stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron rbac-show ea979774-8383-4a7e-8cbe-50bbd58855e5
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | ea979774-8383-4a7e-8cbe-50bbd58855e5 |
| object_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
| object_type | network |
| target_tenant | 3dd36d3f99494454bd4f887201684b63 |
| tenant_id | 54913ee1ca89458ba792d685c799484d |
+---------------+--------------------------------------+
** Affects: neutron
Importance: Undecided
Status: New
** Tags: access-control
** Summary changed:
- BAC: Port creation on a shared network failed if --fixed-ip is specified
+ RBAC: Port creation on a shared network failed if --fixed-ip is specified
** Summary changed:
- RBAC: Port creation on a shared network failed if --fixed-ip is specified
+ RBAC: Port creation on a shared network failed if --fixed-ip is specified in 'neutron port-create' command
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1543756
Title:
RBAC: Port creation on a shared network failed if --fixed-ip is
specified in 'neutron port-create' command
Status in neutron:
New
Bug description:
The network demo-net, owned by user demo, is shared with tenant
demo-2. The sharing is created by demo using the command
neutron rbac-create --type network --action access_as_shared --target-
tenant <demo-2-tenant-id> demo-net
A user on the demo-2 tenant is can see the network demo-net:
stack@Ubuntu-38:~/DEVSTACK/demo$ neutron net-list
+--------------------------------------+----------+--------------------------------------------------+
| id | name | subnets |
+--------------------------------------+----------+--------------------------------------------------+
| 85bb7612-e5fa-440c-bacf-86c5929298f3 | demo-net | e66487b6-430b-4fb1-8a87-ed28dd378c43 10.1.2.0/24 |
| | | ff01f7ca-d838-42dc-8d86-1b2830bc4824 10.1.3.0/24 |
| 5beb4080-4cf0-4921-9bbf-a7f65df6367f | public | 57485a80-815c-45ef-a0d1-ce11939d7fab |
| | | 38d1ddad-8084-4d32-b142-240e16fcd5df |
+--------------------------------------+----------+--------------------------------------------------+
The owner of network demo-net is able to create a port using the command 'neutron port-create demo-net --fixed-ip ... :
stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824
Created a new port:
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| dns_name | |
| fixed_ips | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.6"} |
| id | 37402f22-fcd5-4b01-8b01-c6734573d7a8 |
| mac_address | fa:16:3e:44:71:ad |
| name | |
| network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
| security_groups | 7db11aa0-3d0d-40d1-ae25-e4c02b8886ce |
| status | DOWN |
| tenant_id | 54913ee1ca89458ba792d685c799484d |
+-----------------------+---------------------------------------------------------------------------------+
The user demo-2 of tenant demo-2 is able to create a port using the
network demo-net:
stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net
Created a new port:
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| binding:vnic_type | normal |
| device_id | |
| device_owner | |
| dns_name | |
| fixed_ips | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.5"} |
| id | bab87cc9-2c83-489d-a973-1a42872a3dd4 |
| mac_address | fa:16:3e:c6:93:e5 |
| name | |
| network_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
| security_groups | 465c1c6f-e974-40e0-826e-72a2cc7d3fa4 |
| status | DOWN |
| tenant_id | 3dd36d3f99494454bd4f887201684b63 |
+-----------------------+---------------------------------------------------------------------------------+
If the same user wants to create a port on demo-net using with a fixed
IP on the 10.1.2.0/24 subnet. The port creation failed:
stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824
(rule:create_port and rule:create_port:fixed_ips) on {'binding:host_id': <object object at 0x7f1935be82a0>, 'name': '', 'allowed_address_pairs': <object object at 0x7f1935be82a0>, u'admin_state_up': True, u'network_id': u'85bb7612-e5fa-440c-bacf-86c5929298f3', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'extra_dhcp_opts': None, 'mac_address': <object object at 0x7f1935be82a0>, 'binding:vnic_type': 'normal', 'device_owner': '', 'dns_name': '', 'binding:profile': <object object at 0x7f1935be82a0>, u'fixed_ips': [{u'subnet_id': u'ff01f7ca-d838-42dc-8d86-1b2830bc4824'}], u'network:tenant_id': u'54913ee1ca89458ba792d685c799484d', 'security_groups': <object object at 0x7f1935be82a0>, 'device_id': ''} by {'domain': None, 'project_name': u'demo-2', 'tenant_name': u'demo-2', 'project_domain': None, 'timestamp': '2016-02-09 19:20:48.555574', 'auth_token': 'afa5047cd78b4774a6fd3ab3944f3f97', 'resource_uuid': None, 'is_admin': False, 'user': u'ca2f2bb189e6401c9c27214d4aa33563', 'tenant': u'3dd36d3f99494454bd4f887201684b63', 'read_only': False, 'project_id': u'3dd36d3f99494454bd4f887201684b63', 'user_id': u'ca2f2bb189e6401c9c27214d4aa33563', 'show_deleted': False, 'roles': [u'_member_'], 'user_identity': 'ca2f2bb189e6401c9c27214d4aa33563 3dd36d3f99494454bd4f887201684b63 - - -', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'request_id': 'req-7de91903-43ed-4940-a645-3418d10413ec', 'user_domain': None, 'user_name': u'demo-2'} disallowed by policy
stack@Ubuntu-38:~/DEVSTACK/devstack$
The rbac rule for sharing of network demo-net with tenant "demo-2" is:
stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron rbac-show ea979774-8383-4a7e-8cbe-50bbd58855e5
+---------------+--------------------------------------+
| Field | Value |
+---------------+--------------------------------------+
| action | access_as_shared |
| id | ea979774-8383-4a7e-8cbe-50bbd58855e5 |
| object_id | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
| object_type | network |
| target_tenant | 3dd36d3f99494454bd4f887201684b63 |
| tenant_id | 54913ee1ca89458ba792d685c799484d |
+---------------+--------------------------------------+
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1543756/+subscriptions
Follow ups
