yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #74756
[Bug 1793207] [NEW] external_gateway_info enable_snat attribute should be owner-modifiable
Public bug reported:
Currently, policy.json restricts who can change the 'enable_snat'
setting of a router. For example:
stack@18-04:~/devstack$ openstack router show -c external_gateway_info router1
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| external_gateway_info | {"network_id": "91bdb30f-9be8-45ac-a313-bb33a99e92dc", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "e9b318e1-01af-49a1-90bc-ffe949a42e05", "ip_address": "172.24.4.3"}, {"subnet_id": "73f36385-d58a-4b74-9262-bcb603e73aee", "ip_address": "2001:db8::6"}]} |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
stack@18-04:~/devstack$ openstack router set --disable-snat --external-gateway 91bdb30f-9be8-45ac-a313-bb33a99e92dc router1
HttpException: 403: Client Error for url: http://10.18.57.23:9696/v2.0/routers/783d4563-c4d4-417c-a5de-eb7668373f63, {"NeutronError": {"message": "(rule:update_router and (rule:update_router:external_gateway_info and (rule:update_router:external_gateway_info:network_id and rule:update_router:external_gateway_info:enable_snat))) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
I'm not sure there's a good reason the owner can't modify this, and
looking back through the blueprints there was only a mention of it -
"for instance a provider might want to restrict enable_snat to admin
only users" - so it seems it was intended for the owner originally with
the caveat that the admin could restrict if necessary.
This fix would be as simple as updating these two entries:
"create_router:external_gateway_info:enable_snat": "rule:admin_only"
"update_router:external_gateway_info:enable_snat": "rule:admin_only"
to have:
"rule:admin_or_owner"
Perhaps there's something I'm missing, so will need to discuss with
others to see if this should change.
** Affects: neutron
Importance: Low
Assignee: Brian Haley (brian-haley)
Status: Confirmed
** Tags: l3-ipam-dhcp
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1793207
Title:
external_gateway_info enable_snat attribute should be owner-modifiable
Status in neutron:
Confirmed
Bug description:
Currently, policy.json restricts who can change the 'enable_snat'
setting of a router. For example:
stack@18-04:~/devstack$ openstack router show -c external_gateway_info router1
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| external_gateway_info | {"network_id": "91bdb30f-9be8-45ac-a313-bb33a99e92dc", "enable_snat": true, "external_fixed_ips": [{"subnet_id": "e9b318e1-01af-49a1-90bc-ffe949a42e05", "ip_address": "172.24.4.3"}, {"subnet_id": "73f36385-d58a-4b74-9262-bcb603e73aee", "ip_address": "2001:db8::6"}]} |
+-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
stack@18-04:~/devstack$ openstack router set --disable-snat --external-gateway 91bdb30f-9be8-45ac-a313-bb33a99e92dc router1
HttpException: 403: Client Error for url: http://10.18.57.23:9696/v2.0/routers/783d4563-c4d4-417c-a5de-eb7668373f63, {"NeutronError": {"message": "(rule:update_router and (rule:update_router:external_gateway_info and (rule:update_router:external_gateway_info:network_id and rule:update_router:external_gateway_info:enable_snat))) is disallowed by policy", "type": "PolicyNotAuthorized", "detail": ""}}
I'm not sure there's a good reason the owner can't modify this, and
looking back through the blueprints there was only a mention of it -
"for instance a provider might want to restrict enable_snat to admin
only users" - so it seems it was intended for the owner originally
with the caveat that the admin could restrict if necessary.
This fix would be as simple as updating these two entries:
"create_router:external_gateway_info:enable_snat": "rule:admin_only"
"update_router:external_gateway_info:enable_snat": "rule:admin_only"
to have:
"rule:admin_or_owner"
Perhaps there's something I'm missing, so will need to discuss with
others to see if this should change.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1793207/+subscriptions
Follow ups
