yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1764330] Re: Cannot set --no-share on shared network covered also by "access_as_shared" RBAC policy

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1764330@xxxxxxxxxxxxxxxxxx>
Date: Thu, 19 Apr 2018 23:59:44 -0000
Reply-to: Bug 1764330 <1764330@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/561589
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=7aa941cc09aef8efe54f5bac111248d296e9c8ef
Submitter: Zuul
Branch:    master

commit 7aa941cc09aef8efe54f5bac111248d296e9c8ef
Author: Sławek Kapłoński <slawek@xxxxxxxxxxxx>
Date:   Mon Apr 16 13:17:17 2018 +0200

    [RBAC] Fix setting network as not shared
    
    In case when network was shared with specified project
    by RBAC rule and it was also set as "shared" there was
    a bug which forbid to set such network as not shared even
    if only projects which still used network was owner and
    project with specified RBAC rule.
    
    This patch fixes it by adding additional check in
    NeutronDbPluginV2._validate_shared_update() in such case.
    
    Change-Id: I6ab05a8f0ece454f5bef8ba978af05f5fa1354d8
    Closes-Bug: #1764330


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1764330

Title:
  Cannot set --no-share on shared network covered also by
  "access_as_shared" RBAC policy

Status in neutron:
  Fix Released

Bug description:
  There is no possibility to set network as not shared if it was also
  shared via RBAC policy for some specific tenant.

  How to reproduce bug:

  1. Create 2 projects (tenants): tenantA and tenantB
  2. TenantA creates an external network (ext_net_A) + subnet
  3. For the external network neutron automatically creates a wildcard 'access_as_external' RBAC rule
  4. TenantA can create a new port on ext_net_A; TenantB is not allowed to do the same
  5. Create a new 'access_as_shared' RBAC rule granting TenantB access to ext_net_A
  6. TenantB is now able to create a port on ext_net_A
  7. TenantA sets the shared flag to True on ext_net_A (openstack network set --share <net ID>), which creates a new wildcard 'access_as_shared' RBAC rule
  8. TenantA tries to unshare ext_net_A (openstack network set --no-share <net ID>), which fails with: HttpException: Conflict

  There were no ports added or any other changes made to ext_net_A between sharing and unsharing it.
  Neutron should be able to unshare the network since the only tenant using it (tenantB) is already covered by a specific RBAC rule created in step 5.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1764330/+subscriptions

References

[Bug 1764330] [NEW] Cannot set --no-share on shared network covered also by "access_as_shared" RBAC policy
From: Slawek Kaplonski, 2018-04-16