← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #49460

[Bug 1536176] Re: network owner cannot get subnet, cannot delete net

  Thread PreviousDate PreviousThread Next 
This is a corner case for which I don't see any use? Why would an admin
create a subnet in a network he/she doesn't own and withhold the
ownership?

** Changed in: neutron
       Status: In Progress => Won't Fix

** Changed in: neutron
     Assignee: ZongKai LI (lzklibj) => (unassigned)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1536176

Title:
  network owner cannot get subnet, cannot delete net

Status in neutron:
  Won't Fix

Bug description:
  steps:
  1, demo tenant create a network net1
  2, demo tenant create a subnet sn1 in net1
  3, admin create a subnet sn2 in net1
  4, demo tenant run "neutron subnet-list"
  expected: command output should contains sn1 and sn2
  observed: only sn1 can be seen.

  in policy.json
  [1]    "create_subnet": "rule:admin_or_network_owner",
  [2]    "get_subnet": "rule:admin_or_owner or rule:shared",
  from [1], since only admin and network owner can create subnet on tenant network, it should make sense to allow network owner to get all subnets on her/his network.

  with rbac, after demo tenant add rbac access_as_shared rule for alt_demo tenant.
  alt_demo tenant run "subnet-list" can get sn1 and sn2.
  That's very interesting, rbac allowed tenant can get all subnets, but not network owner.

  # updated @ 2016.01.23
  per demo tenant cannot get subnets not owned by it on its network. So when it tries to delete its network, will fail and unfortunately no error/exception will raise, for neutron-server will enter a while-True loop!!!
  Check https://github.com/openstack/neutron/blob/master/neutron/plugins/ml2/plugin.py#L918-L920 .

  What we can do for this situation? Maybe return an exception for cannot get a subnet that not owner by current tenant to delete. Oops, that's odd and hard to understand. Since we have following rules in policy.json:
      "delete_subnet": "rule:admin_or_network_owner",
      "delete_network": "rule:admin_or_owner",
  How can people understand they have policy to allow them but with disallowed exception?

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1536176/+subscriptions

References

  Thread PreviousDate PreviousThread Next