← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #72372

[Bug 1764330] [NEW] Cannot set --no-share on shared network covered also by "access_as_shared" RBAC policy

  Thread PreviousDate PreviousThread Next 
Public bug reported:

There is no possibility to set network as not shared if it was also
shared via RBAC policy for some specific tenant.

How to reproduce bug:

1. Create 2 projects (tenants): tenantA and tenantB
2. TenantA creates an external network (ext_net_A) + subnet
3. For the external network neutron automatically creates a wildcard 'access_as_external' RBAC rule
4. TenantA can create a new port on ext_net_A; TenantB is not allowed to do the same
5. Create a new 'access_as_shared' RBAC rule granting TenantB access to ext_net_A
6. TenantB is now able to create a port on ext_net_A
7. TenantA sets the shared flag to True on ext_net_A (openstack network set --share <net ID>), which creates a new wildcard 'access_as_shared' RBAC rule
8. TenantA tries to unshare ext_net_A (openstack network set --no-share <net ID>), which fails with: HttpException: Conflict

There were no ports added or any other changes made to ext_net_A between sharing and unsharing it.
Neutron should be able to unshare the network since the only tenant using it (tenantB) is already covered by a specific RBAC rule created in step 5.

** Affects: neutron
     Importance: Medium
     Assignee: Slawek Kaplonski (slaweq)
         Status: Confirmed


** Tags: api queens-backport-potential

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1764330

Title:
  Cannot set --no-share on shared network covered also by
  "access_as_shared" RBAC policy

Status in neutron:
  Confirmed

Bug description:
  There is no possibility to set network as not shared if it was also
  shared via RBAC policy for some specific tenant.

  How to reproduce bug:

  1. Create 2 projects (tenants): tenantA and tenantB
  2. TenantA creates an external network (ext_net_A) + subnet
  3. For the external network neutron automatically creates a wildcard 'access_as_external' RBAC rule
  4. TenantA can create a new port on ext_net_A; TenantB is not allowed to do the same
  5. Create a new 'access_as_shared' RBAC rule granting TenantB access to ext_net_A
  6. TenantB is now able to create a port on ext_net_A
  7. TenantA sets the shared flag to True on ext_net_A (openstack network set --share <net ID>), which creates a new wildcard 'access_as_shared' RBAC rule
  8. TenantA tries to unshare ext_net_A (openstack network set --no-share <net ID>), which fails with: HttpException: Conflict

  There were no ports added or any other changes made to ext_net_A between sharing and unsharing it.
  Neutron should be able to unshare the network since the only tenant using it (tenantB) is already covered by a specific RBAC rule created in step 5.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1764330/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next