yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #50112
[Bug 1577101] [NEW] RBAC "Access_as_external" multiple IDs in target_tenant
Public bug reported:
On an admin tenant, with an admin user, I created an external network.
This automatically creates and "access_as_external" action RBAC policy
with "*" value for "target_tenant" attribute.
I deleted this RBAC policy and manually create a new one with two
tenants IDs in the "target_tenant field".
$ openstack project list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 1cdeee0a38b943859f23750a651db12c | demo |
| 8d3f62906c3949e4a2832df2b86c71e8 | services |
| a654338c862f401a8665c3fbed289a75 | admin |
| b0dc258dd3204bf99750589d1ed23996 | tenantA | <--------
+----------------------------------+----------+
$ neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 --type network
Created a new rbac_policy:
+---------------+-------------------------------------------------------------------+
| Field | Value |
+---------------+-------------------------------------------------------------------+
| action | access_as_external |
| id | 3fc0bc16-685e-431a-8460-85ad5f8c3d96 |
| object_id | 1f2405cd-90ab-439c-9061-e99d9c6c7a35 |
| object_type | network |
| target_tenant | a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 |
| tenant_id | a654338c862f401a8665c3fbed289a75 |
+---------------+-------------------------------------------------------------------+
$ . keystonerc_tenantA
$ neutron net-list
<---- we should see the network
$
Reproduction:
1. create external network.
2. delete its "access_as_external" rbac policy
3. Create a new rbac policy :
neutron rbac-create EXT_NET_ID --action access_as_external --target-tenant TENANT_ID1,TENANT_ID2 --type network
Version:
Mitaka on thel 7.2
$rpm -qa | grep neutron
python-neutron-lib-0.0.2-1.el7.noarch
openstack-neutron-openvswitch-8.0.0-1.el7.noarch
openstack-neutron-8.0.0-1.el7.noarch
python-neutronclient-4.1.1-2.el7.noarch
python-neutron-8.0.0-1.el7.noarch
openstack-neutron-metering-agent-8.0.0-1.el7.noarch
openstack-neutron-ml2-8.0.0-1.el7.noarch
openstack-neutron-common-8.0.0-1.el7.noarch
packstack installation
All In One
** Affects: neutron
Importance: Undecided
Status: New
** Description changed:
On an admin tenant, with an admin user, I created an external network.
This automatically creates and "access_as_external" action RBAC policy
with "*" value for "target_tenant" attribute.
I deleted this RBAC policy and manually create a new one with two
tenants IDs in the "target_tenant field".
-
$ openstack project list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 1cdeee0a38b943859f23750a651db12c | demo |
| 8d3f62906c3949e4a2832df2b86c71e8 | services |
| a654338c862f401a8665c3fbed289a75 | admin |
| b0dc258dd3204bf99750589d1ed23996 | tenantA | <--------
+----------------------------------+----------+
-
- $ neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 --type network
+ $ neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 --type network
Created a new rbac_policy:
+---------------+-------------------------------------------------------------------+
| Field | Value |
+---------------+-------------------------------------------------------------------+
| action | access_as_external |
| id | 3fc0bc16-685e-431a-8460-85ad5f8c3d96 |
| object_id | 1f2405cd-90ab-439c-9061-e99d9c6c7a35 |
| object_type | network |
| target_tenant | a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 |
| tenant_id | a654338c862f401a8665c3fbed289a75 |
+---------------+-------------------------------------------------------------------+
-
- $ . keystonerc_tenantA
+ $ . keystonerc_tenantA
$ neutron net-list
- <---- we should see the network
+ <---- we should see the network
$
+ Reproduction:
+ 1. create external network.
+ 2. delete its "access_as_external" rbac policy
+ 3. Create a new rbac policy :
+ neutron rbac-create EXT_NET_ID --action access_as_external --target-tenant TENANT_ID1,TENANT_ID2 --type network
- Reproduction:
- 1. create external network.
- 2. delete its "access_as_external" rbac policy
- 3. Create a new rbac policy :
- neutron rbac-create EXT_NET_ID --action access_as_external --target-tenant TENANT_ID1,TENANT_ID2 --type network
+ Version:
+ Mitaka on thel 7.2
- Version:
- Mitaka on thel 7.2
+ $rpm -qa | grep neutron
+ python-neutron-lib-0.0.2-1.el7.noarch
+ openstack-neutron-openvswitch-8.0.0-1.el7.noarch
+ openstack-neutron-8.0.0-1.el7.noarch
+ python-neutronclient-4.1.1-2.el7.noarch
+ python-neutron-8.0.0-1.el7.noarch
+ openstack-neutron-metering-agent-8.0.0-1.el7.noarch
+ openstack-neutron-ml2-8.0.0-1.el7.noarch
+ openstack-neutron-common-8.0.0-1.el7.noarch
packstack installation
All In One
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1577101
Title:
RBAC "Access_as_external" multiple IDs in target_tenant
Status in neutron:
New
Bug description:
On an admin tenant, with an admin user, I created an external network.
This automatically creates and "access_as_external" action RBAC policy
with "*" value for "target_tenant" attribute.
I deleted this RBAC policy and manually create a new one with two
tenants IDs in the "target_tenant field".
$ openstack project list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 1cdeee0a38b943859f23750a651db12c | demo |
| 8d3f62906c3949e4a2832df2b86c71e8 | services |
| a654338c862f401a8665c3fbed289a75 | admin |
| b0dc258dd3204bf99750589d1ed23996 | tenantA | <--------
+----------------------------------+----------+
$ neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 --type network
Created a new rbac_policy:
+---------------+-------------------------------------------------------------------+
| Field | Value |
+---------------+-------------------------------------------------------------------+
| action | access_as_external |
| id | 3fc0bc16-685e-431a-8460-85ad5f8c3d96 |
| object_id | 1f2405cd-90ab-439c-9061-e99d9c6c7a35 |
| object_type | network |
| target_tenant | a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 |
| tenant_id | a654338c862f401a8665c3fbed289a75 |
+---------------+-------------------------------------------------------------------+
$ . keystonerc_tenantA
$ neutron net-list
<---- we should see the network
$
Reproduction:
1. create external network.
2. delete its "access_as_external" rbac policy
3. Create a new rbac policy :
neutron rbac-create EXT_NET_ID --action access_as_external --target-tenant TENANT_ID1,TENANT_ID2 --type network
Version:
Mitaka on thel 7.2
$rpm -qa | grep neutron
python-neutron-lib-0.0.2-1.el7.noarch
openstack-neutron-openvswitch-8.0.0-1.el7.noarch
openstack-neutron-8.0.0-1.el7.noarch
python-neutronclient-4.1.1-2.el7.noarch
python-neutron-8.0.0-1.el7.noarch
openstack-neutron-metering-agent-8.0.0-1.el7.noarch
openstack-neutron-ml2-8.0.0-1.el7.noarch
openstack-neutron-common-8.0.0-1.el7.noarch
packstack installation
All In One
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1577101/+subscriptions
Follow ups
