yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1577101] Re: RBAC "Access_as_external" multiple IDs in target_tenant

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kevin Benton <1577101@xxxxxxxxxxxxxxxxxx>
Date: Mon, 02 May 2016 21:37:30 -0000
Reply-to: Bug 1577101 <1577101@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The appropriate way to create policies for multiple tenants is to create
multiple policies.


neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75 --type network

neutron rbac-create admin-ext --action access_as_external --target-
tenant b0dc258dd3204bf99750589d1ed23996 --type network

** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1577101

Title:
  RBAC "Access_as_external" multiple IDs in target_tenant

Status in neutron:
  Invalid

Bug description:
  On an admin tenant, with an admin user, I created an external network.
  This automatically creates and "access_as_external" action RBAC policy
  with "*" value for "target_tenant" attribute.

  I deleted this RBAC policy and manually create a new one with two
  tenants IDs in the "target_tenant field".

  $ openstack project list
  +----------------------------------+----------+
  | ID                               | Name     |
  +----------------------------------+----------+
  | 1cdeee0a38b943859f23750a651db12c | demo     |
  | 8d3f62906c3949e4a2832df2b86c71e8 | services |
  | a654338c862f401a8665c3fbed289a75 | admin    |
  | b0dc258dd3204bf99750589d1ed23996 | tenantA  |   <--------
  +----------------------------------+----------+

  $ neutron rbac-create admin-ext --action access_as_external --target-tenant a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 --type network
  Created a new rbac_policy:
  +---------------+-------------------------------------------------------------------+
  | Field         | Value                                                             |
  +---------------+-------------------------------------------------------------------+
  | action        | access_as_external                                                |
  | id            | 3fc0bc16-685e-431a-8460-85ad5f8c3d96                              |
  | object_id     | 1f2405cd-90ab-439c-9061-e99d9c6c7a35                              |
  | object_type   | network                                                           |
  | target_tenant | a654338c862f401a8665c3fbed289a75,b0dc258dd3204bf99750589d1ed23996 |
  | tenant_id     | a654338c862f401a8665c3fbed289a75                                  |
  +---------------+-------------------------------------------------------------------+

  $ . keystonerc_tenantA
  $ neutron net-list
                                                                            <---- we should see the network
  $

  Reproduction:
  1. create external network.
  2. delete its "access_as_external" rbac policy
  3. Create a new rbac policy :
  neutron rbac-create EXT_NET_ID --action access_as_external --target-tenant TENANT_ID1,TENANT_ID2 --type network

  Version:
  Mitaka on thel 7.2

  $rpm -qa | grep neutron
  python-neutron-lib-0.0.2-1.el7.noarch
  openstack-neutron-openvswitch-8.0.0-1.el7.noarch
  openstack-neutron-8.0.0-1.el7.noarch
  python-neutronclient-4.1.1-2.el7.noarch
  python-neutron-8.0.0-1.el7.noarch
  openstack-neutron-metering-agent-8.0.0-1.el7.noarch
  openstack-neutron-ml2-8.0.0-1.el7.noarch
  openstack-neutron-common-8.0.0-1.el7.noarch

  packstack installation

  All In One

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1577101/+subscriptions

References

[Bug 1577101] [NEW] RBAC "Access_as_external" multiple IDs in target_tenant
From: Alex Stafeyev, 2016-05-01