yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1577100] Re: RBAC "Access_as_external" policy update

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1577100@xxxxxxxxxxxxxxxxxx>
Date: Tue, 10 May 2016 23:57:16 -0000
Reply-to: Bug 1577100 <1577100@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/311897
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=89297919a73c1e7f86c61d08f3f3d15278f5763a
Submitter: Jenkins
Branch:    master

commit 89297919a73c1e7f86c61d08f3f3d15278f5763a
Author: Kevin Benton <kevin@xxxxxxxxxx>
Date:   Fri Apr 29 23:24:34 2016 -0700

    Fix update target tenant RBAC external path
    
    This fixes the logic to allow updates to wildcard RBAC external
    policies. It was broken for two reasons: first, it was using the
    wrong kwarg, second, it wasn't considering the target tenant when
    determining if the policy was required.
    
    This patch fixes both issues and adds an API test exercising the
    update path.
    
    Closes-Bug: #1577100
    Change-Id: Id7441ab5c3f3667aa1cc48100286a2a9d480e201


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1577100

Title:
  RBAC "Access_as_external" policy update

Status in neutron:
  Fix Released

Bug description:
  I was trying update "target_tenant" field in the existing RBAC policy,
  The policy is "access_as_external"  policy.

  On an admin tenant,  with an admin user, I created an external
  network. This automatically creates and "access_as_external" action
  RBAC policy with "*" value for "target_tenant" attribute.

  +---------------+--------------------------------------+
  | Field         | Value                                |
  +---------------+--------------------------------------+
  | action        | access_as_external                   |
  | id            | f09399eb-1829-4675-8155-4972b4378b9c |
  | object_id     | 0ff86006-8d7d-4e9b-ba11-960c7ff50dae |
  | object_type   | network                              |
  | target_tenant | *                                    |
  | tenant_id     | a654338c862f401a8665c3fbed289a75     |
  +---------------+--------------------------------------+

  I wanted to update the RBAC policy but encountered the following error:
  "neutron rbac-update f09399eb-1829-4675-8155-4972b4378b9c --target_tenant a654338c862f401a8665c3fbed289a75
  RBAC policy on object 0ff86006-8d7d-4e9b-ba11-960c7ff50dae cannot be removed because other objects depend on it.
  Details: Callback neutron.plugins.ml2.plugin.Ml2Plugin._validate_ext_not_in_use_by_tenant failed with "'policy_tenant'"
  Neutron server returns request_ids: ['req-218d22bd-f484-41e3-9908-798bb93ae149']"

  The external network is not in use by any router/or any other object.

  Reproduction steps:

  Create a network with " router:external" attribute ( external network)
  See rbac policy list and show the existing rbac policy for the external network (see object_id = network_id)
  execute "neutron rbac-update RBACPOLICYID --target_tenant DESIRED_TENANT_ID"

  Version:
  MITAKA on rhel 7.2

  $rpm -qa | grep neutron
  python-neutron-lib-0.0.2-1.el7.noarch
  openstack-neutron-openvswitch-8.0.0-1.el7.noarch
  openstack-neutron-8.0.0-1.el7.noarch
  python-neutronclient-4.1.1-2.el7.noarch
  python-neutron-8.0.0-1.el7.noarch
  openstack-neutron-metering-agent-8.0.0-1.el7.noarch
  openstack-neutron-ml2-8.0.0-1.el7.noarch
  openstack-neutron-common-8.0.0-1.el7.noarch

  
  AllInOne environment. (packstack installation)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1577100/+subscriptions

References

[Bug 1577100] [NEW] RBAC "Access_as_external" policy update
From: Alex Stafeyev, 2016-05-01