← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1543756] Re: RBAC: Port creation on a shared network failed if --fixed-ip is specified in 'neutron port-create' command

 

We can't let people that don't own the network select their own fixed
IP. Using the fixed IP field, someone can pick addresses outside of the
allocation pool so it's restricted to an owner-only operation.

It might be worth discussion if we should allow them to select a
subnet_id but not a specific IP. Maybe change this to an RFE because
it's going to be a policy change that we need to carefully consider.

** Changed in: neutron
       Status: New => Opinion

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1543756

Title:
  RBAC: Port creation on a shared network failed if --fixed-ip is
  specified in 'neutron port-create' command

Status in neutron:
  Opinion

Bug description:
  The network demo-net, owned by user demo, is shared with tenant
  demo-2.  The sharing is created by demo using the command

  neutron rbac-create --type network --action access_as_shared --target-
  tenant <demo-2-tenant-id> demo-net

  
  A user on the demo-2 tenant is can see the network demo-net:

  stack@Ubuntu-38:~/DEVSTACK/demo$ neutron net-list
  +--------------------------------------+----------+--------------------------------------------------+
  | id                                   | name     | subnets                                          |
  +--------------------------------------+----------+--------------------------------------------------+
  | 85bb7612-e5fa-440c-bacf-86c5929298f3 | demo-net | e66487b6-430b-4fb1-8a87-ed28dd378c43 10.1.2.0/24 |
  |                                      |          | ff01f7ca-d838-42dc-8d86-1b2830bc4824 10.1.3.0/24 |
  | 5beb4080-4cf0-4921-9bbf-a7f65df6367f | public   | 57485a80-815c-45ef-a0d1-ce11939d7fab             |
  |                                      |          | 38d1ddad-8084-4d32-b142-240e16fcd5df             |
  +--------------------------------------+----------+--------------------------------------------------+


  
  The owner of network demo-net is able to create a port using the command 'neutron port-create demo-net --fixed-ip ... :
  stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824
  Created a new port:
  +-----------------------+---------------------------------------------------------------------------------+
  | Field                 | Value                                                                           |
  +-----------------------+---------------------------------------------------------------------------------+
  | admin_state_up        | True                                                                            |
  | allowed_address_pairs |                                                                                 |
  | binding:vnic_type     | normal                                                                          |
  | device_id             |                                                                                 |
  | device_owner          |                                                                                 |
  | dns_name              |                                                                                 |
  | fixed_ips             | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.6"} |
  | id                    | 37402f22-fcd5-4b01-8b01-c6734573d7a8                                            |
  | mac_address           | fa:16:3e:44:71:ad                                                               |
  | name                  |                                                                                 |
  | network_id            | 85bb7612-e5fa-440c-bacf-86c5929298f3                                            |
  | security_groups       | 7db11aa0-3d0d-40d1-ae25-e4c02b8886ce                                            |
  | status                | DOWN                                                                            |
  | tenant_id             | 54913ee1ca89458ba792d685c799484d                                                |
  +-----------------------+---------------------------------------------------------------------------------+


  The user demo-2 of tenant demo-2 is able to create a port using the
  network demo-net:

  stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net
  Created a new port:
  +-----------------------+---------------------------------------------------------------------------------+
  | Field                 | Value                                                                           |
  +-----------------------+---------------------------------------------------------------------------------+
  | admin_state_up        | True                                                                            |
  | allowed_address_pairs |                                                                                 |
  | binding:vnic_type     | normal                                                                          |
  | device_id             |                                                                                 |
  | device_owner          |                                                                                 |
  | dns_name              |                                                                                 |
  | fixed_ips             | {"subnet_id": "ff01f7ca-d838-42dc-8d86-1b2830bc4824", "ip_address": "10.1.3.5"} |
  | id                    | bab87cc9-2c83-489d-a973-1a42872a3dd4                                            |
  | mac_address           | fa:16:3e:c6:93:e5                                                               |
  | name                  |                                                                                 |
  | network_id            | 85bb7612-e5fa-440c-bacf-86c5929298f3                                            |
  | security_groups       | 465c1c6f-e974-40e0-826e-72a2cc7d3fa4                                            |
  | status                | DOWN                                                                            |
  | tenant_id             | 3dd36d3f99494454bd4f887201684b63                                                |
  +-----------------------+---------------------------------------------------------------------------------+


  If the same user wants to create a port on demo-net using with a fixed
  IP on the 10.1.2.0/24 subnet.  The port creation failed:

  stack@Ubuntu-38:~/DEVSTACK/demo$ neutron port-create demo-net --fixed-ip subnet_id=ff01f7ca-d838-42dc-8d86-1b2830bc4824
  (rule:create_port and rule:create_port:fixed_ips) on {'binding:host_id': <object object at 0x7f1935be82a0>, 'name': '', 'allowed_address_pairs': <object object at 0x7f1935be82a0>, u'admin_state_up': True, u'network_id': u'85bb7612-e5fa-440c-bacf-86c5929298f3', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'extra_dhcp_opts': None, 'mac_address': <object object at 0x7f1935be82a0>, 'binding:vnic_type': 'normal', 'device_owner': '', 'dns_name': '', 'binding:profile': <object object at 0x7f1935be82a0>, u'fixed_ips': [{u'subnet_id': u'ff01f7ca-d838-42dc-8d86-1b2830bc4824'}], u'network:tenant_id': u'54913ee1ca89458ba792d685c799484d', 'security_groups': <object object at 0x7f1935be82a0>, 'device_id': ''} by {'domain': None, 'project_name': u'demo-2', 'tenant_name': u'demo-2', 'project_domain': None, 'timestamp': '2016-02-09 19:20:48.555574', 'auth_token': 'afa5047cd78b4774a6fd3ab3944f3f97', 'resource_uuid': None, 'is_admin': False, 'user': u'ca2f2bb189e6401c9c27214d4aa33563', 'tenant': u'3dd36d3f99494454bd4f887201684b63', 'read_only': False, 'project_id': u'3dd36d3f99494454bd4f887201684b63', 'user_id': u'ca2f2bb189e6401c9c27214d4aa33563', 'show_deleted': False, 'roles': [u'_member_'], 'user_identity': 'ca2f2bb189e6401c9c27214d4aa33563 3dd36d3f99494454bd4f887201684b63 - - -', 'tenant_id': u'3dd36d3f99494454bd4f887201684b63', 'request_id': 'req-7de91903-43ed-4940-a645-3418d10413ec', 'user_domain': None, 'user_name': u'demo-2'} disallowed by policy
  stack@Ubuntu-38:~/DEVSTACK/devstack$

  
  The rbac rule for sharing of network demo-net with tenant "demo-2" is:
  stack@Ubuntu-38:~/DEVSTACK/devstack$ neutron rbac-show ea979774-8383-4a7e-8cbe-50bbd58855e5
  +---------------+--------------------------------------+
  | Field         | Value                                |
  +---------------+--------------------------------------+
  | action        | access_as_shared                     |
  | id            | ea979774-8383-4a7e-8cbe-50bbd58855e5 |
  | object_id     | 85bb7612-e5fa-440c-bacf-86c5929298f3 |
  | object_type   | network                              |
  | target_tenant | 3dd36d3f99494454bd4f887201684b63     |
  | tenant_id     | 54913ee1ca89458ba792d685c799484d     |
  +---------------+--------------------------------------+

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1543756/+subscriptions


References