yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1538767] Re: Users cannot create extra-routes with nexthop on ext-net

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1538767@xxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Feb 2016 16:45:48 -0000
Reply-to: Bug 1538767 <1538767@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/273278
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3d5d378769f0715e3254ac00b6f091a6f9f6960b
Submitter: Jenkins
Branch:    master

commit 3d5d378769f0715e3254ac00b6f091a6f9f6960b
Author: Cedric Brandily <zzelle@xxxxxxxxx>
Date:   Wed Jan 27 23:58:18 2016 +0100

    Allow non-admins to define "external" extra-routes
    
    Currently non-admin users can create extra-routes when the nexthop is on
    router-interfaces subnets but not on external-network subnet. Indeed
    user permissions are used to get router ports in order to validate
    nexthops BUT non-admin users don't "see" router port on its external
    network.
    
    This change uses an elevated context instead of user context to enable
    non-admins to create "external" extra-routes.
    
    APIImpact
    Closes-Bug: #1538767
    Change-Id: I08b1d8586a4cd241a3589e8cb7151b77ab679124


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1538767

Title:
  Users cannot create extra-routes with nexthop on ext-net

Status in neutron:
  Fix Released

Bug description:
  Non-admin users cannot create extra-routes on a router with a nexthop
  on ext-net subnet:

    # With admin user
    neutron net-create pub --router-:external
    neutron subnet-create pub 192.168.0.0/16

    # With non-admin user
    neutron router-create router
    neutron router-gateway-set router pub
    neutron router-update router --routes nexthop=192.168.0.99,destination=10.10.10.0/24
    >> Invalid format for routes: [{u'destination': u'10.10.10.0/24', u'nexthop': u'192.168.0.99'}], the nexthop is not connected with router

  But it succeeds with an admin user.

  nexthop validation gets all ports connected to the router to check if
  nexthop is on a subnet connected to the router BUT non-admin users are
  only allowed to get internal ports!

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1538767/+subscriptions

References

[Bug 1538767] [NEW] Users cannot create extra-routes with nexthop on ext-net
From: Cedric Brandily, 2016-01-27